23542300x800000000000000055747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:27.934{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0IZ8NR8A1G\System.Windows.Forms.ni.dll.auxMD5=EF3404CCFC20B97E804E0921508A9D33,SHA256=96FC2BED83705325F3FB0EBD088F15F4B90203B3525DA008C76F09F3F931A533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:27.934{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0IZ8NR8A1G\System.Windows.Forms.ni.dllMD5=089EC05F8A337F413F5E95DEB1BCBD99,SHA256=DCA25114BD4BFDC0692778471FA8AF3CEC539D4DD8CE5F0596C5AFCA04A27303,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:27.681{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A368B347E90315EC5D75E825C1BE9050,SHA256=5A62E2D5D22B2EFDAE98D211077075635DAC039B7C29622D0AA864584993A248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028258Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:27.061{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED9AEAA495743A39431896B6354AF31,SHA256=3296B8DC41C8F4CAB645F4EB202B612DAF2A530F87F1BF15F0DAEEA896CC2744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:27.050{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0544CE2CCCAB0F9AD44A9C6092D618C7,SHA256=DCA10843B2ABACB85D856BCBD421B43789D0B29E74A1469D15C7086F06E04141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:27.050{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E285B41FBF1967A3EBF9ABDEA75E1F24,SHA256=4B5B62716F057A181251C9B118F16A4BA21C35255749A358CE43C52851E98F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.996{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0VFIRUF5ZE\System.Numerics.ni.dll.auxMD5=B112B901DBE457D5C44431DEF8018CE7,SHA256=E8A9B868DAAA55B69C61BE12D2C8D3EA8BB1F99EB970230BB6A867B65586B41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.996{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0VFIRUF5ZE\System.Numerics.ni.dllMD5=3C15EEC6D52A4674FE204A7E3610D46E,SHA256=95EBC4E4BF44CE09D29EC4505D7B8548DA661278D4DF53F887CC357557F45A80,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.980{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0QG8HSQLNT\System.ni.dll.auxMD5=84B8ACC5B13C06E48410687ADC7579D0,SHA256=CB2EC2B2788E5069BB12B9308159586E291BDF30E214CEF871EA1E6B2BEBB118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.980{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0QG8HSQLNT\System.ni.dllMD5=07887F94F904CF7FC14E9019CA4DA2BD,SHA256=200501E0564697E7A0FC680722FA4FEDADB9D012D65E7B0AA2080EF94FDDED43,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.749{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=439A39FA5C965C27731D7D742D21A180,SHA256=E737E6A71AEA3E54905C775D26F2478273A89A98C0649BF5142A4F4A00BD8B4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028260Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:27.148{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028259Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:28.295{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE5BC206CDD5B88CCDFCFFEF86C0F763,SHA256=0214FFF683E6B81799A6EAFA356F607B16026403C747538100C700CBB9FF6F11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.365{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0OA7EB1HBU\System.ni.dll.auxMD5=9B60B2BBB90F47837198E6E98D82A4A6,SHA256=CF985A3477DD0F499F52050F169ACD88D7F2A767641C25774428BB2755123181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:28.365{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0OA7EB1HBU\System.ni.dllMD5=81C5B20AF92CE8DA61786746DFBBDA67,SHA256=0EC73A4C7D61C98547AAB5B48244022F241D02B1EA7030163D13F9E038D6F96D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:29.963{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0X54ME6ANH\System.Windows.Forms.ni.dll.auxMD5=4617D052309AFAEF26D5F4D8D4E23AE7,SHA256=0540CD44C52538002758AB0338A2DCFF1C1A02C362FE580545905B1106C75FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:29.947{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0X54ME6ANH\System.Windows.Forms.ni.dllMD5=1473B7ACF38D8269436DADE7A3A8C5A1,SHA256=9424F4B954C713E8D9562D1809B029DA51618BF6436C9D8B8CF704E354D034CC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:29.779{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=657F5DD71FA1CA31ED1155BD83BCB6DF,SHA256=02A86DCD031373DAEBA867BF04394444C0C6F91F6D93C020DF2015CDE40DF3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028261Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:29.326{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2BA28B0FE6579835C65B84063F014B,SHA256=723C33B3AC4DB54E3890F11147EFDF0FEC235AC0F6D9CA2BB1451943762752B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.895{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\14J7AS46N3\System.Core.ni.dll.auxMD5=0D59346ED726744FEA0E19160BD691D5,SHA256=77169350D0B655C78CE5B6ACE4BA8B2542B952D2566D0EB2BFE7CA3AA919E965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.895{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\14J7AS46N3\System.Core.ni.dllMD5=FC3DE6187226828D53AF86A55AEFE990,SHA256=41B7A76F0DD86CFFE6D0CA3DC832FC4BC49BBF1B91AD8522A80A686C78FA8CB0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.830{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CBA6ED1175884A59C58043188BA328F,SHA256=60D693EBB907C475A4B23433BE6F0A0DA25DB896118ADB41046FD3DAA0EE65D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028262Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:30.545{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5002F5AD156BB86F6BA5C025F1A0EC49,SHA256=286722C12C5F607A2E0D517F6B6CF0EAE776E0E0F910550261E0A7E0F62CAFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.363{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\13TOZAELWQ\System.Numerics.ni.dll.auxMD5=F3C267CE9D1C3FB6394036F4E7D8E785,SHA256=A32A8CDFBDC610D9D6F3973CBF9D2DD972EDA72B86EF870D3A235737A6429578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.363{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\13TOZAELWQ\System.Numerics.ni.dllMD5=91E874513E4D5B367AB69CA603378A7C,SHA256=704C43518065008070ADC26CDA82847024C7C543FA22971D67EEBDEB9528C966,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.347{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0YWQ59HI7D\System.Xml.ni.dll.auxMD5=369EFABDD4D345DD17D7F6E96CCD5E41,SHA256=793116A843DC9D67DE87EC0A2ABF11E47A922664B267410098AD7B65AD4430D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:30.347{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\0YWQ59HI7D\System.Xml.ni.dllMD5=B08D3457D316715E513E092A4E1F1B22,SHA256=A679587BF2CAC9D31CDDB246811E683C3F8C5237A7E497EC44ACEEBECE5BB901,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028263Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:31.686{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59590A619D71D3374B5D7B023084170E,SHA256=8FFB049D3C96C09822263C20D42712CF323C7960A0ED7285B03518B4FC241164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.862{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A31A0C1AB4694DC58919196F7E2A003,SHA256=B02C1FEE58C1DBC6CF92B995551755973579F6547CFE065FDF1BB98A638CCCCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.831{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1AMJ6XH9ZS\System.Xml.ni.dll.auxMD5=D29538F54E146DACA6A1D7E68B48829A,SHA256=D472E44502185F6EFA8EF2F24B7D25DF4EF31AA7229841672DD34F78B2A1242B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.831{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1AMJ6XH9ZS\System.Xml.ni.dllMD5=FE982F628A5787029F86C592E37326C3,SHA256=3067EB0023C9EF9AA2101FC0153CF6ADFF4EDD956EEE6028F80673439B5E391A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.510{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\18ATSMREB9\Microsoft.CSharp.ni.dll.auxMD5=BCCA60143E9395CBD98ABC97FAF648D1,SHA256=799DD94DC299F621AF5D70AC9D47731415435028A5A9B625D44C5611C77D14DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.510{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\18ATSMREB9\Microsoft.CSharp.ni.dllMD5=B9E34CEC4D766AFE6195FCDD5C265721,SHA256=E1D7D03019EFE1A8247C17C2575F647A7FF7E0B6C9CB9996BA29EBB8F9A8C303,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.363{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\17N3ZVH06M\System.Transactions.ni.dll.auxMD5=999D14BCEA16BC6927359881D4D39D58,SHA256=E951F9BEEAFE791DF0F3CB3AFE9BD07BDE358EE20E01DC5F2018DDDB466EEC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.363{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\17N3ZVH06M\System.Transactions.ni.dllMD5=069D6E12D3CAB923FD4E8AC75EE89BA1,SHA256=F4957C4BFCF882B16615546FCA8A910B09508E5520C62914203915BA51DC3DF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.328{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\16LD33LLVQ\System.Core.ni.dll.auxMD5=CCAD9FB37273BAEBE3F5FA188E00C517,SHA256=67F0D2F9036FA94E2C9FA5EFB2D3D041BBFBE59378A4D2A5BFA52E7821ADC2B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:31.327{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\16LD33LLVQ\System.Core.ni.dllMD5=6BE5BA854610D494C606FCE794962FB3,SHA256=95729D65C54D3EC524E4C11C51147EAB34F0F0523983715CD62D741CB94BE626,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000055765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:29.097{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028264Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:32.701{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C23D149B627643BD124794881BDC93B9,SHA256=EF8961D0D383203D49B91C0A8D86091EBF1B85295D10E97798FFDD411CFDE2E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:32.878{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED3C6871FD6D8AD624C272894E467FE9,SHA256=DE6447C5BF5619ADABF0124A35434C59866F716FBF6B0E4C8A7CBD9AD14D8E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:32.594{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1GMLPJ6UVG\System.Windows.Forms.ni.dll.auxMD5=EF3404CCFC20B97E804E0921508A9D33,SHA256=96FC2BED83705325F3FB0EBD088F15F4B90203B3525DA008C76F09F3F931A533,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:32.594{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1GMLPJ6UVG\System.Windows.Forms.ni.dllMD5=089EC05F8A337F413F5E95DEB1BCBD99,SHA256=DCA25114BD4BFDC0692778471FA8AF3CEC539D4DD8CE5F0596C5AFCA04A27303,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:32.393{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15D14C3C79621C9197BE2FFE4D624D1A,SHA256=AFB2FB62D30CBA868D7DC94669F98D2E727D07E3B59E3F7C0ABF865E4C669C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:32.393{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=11CA21835D97144B14A57504545039FE,SHA256=3990613B38955F2EF8820BF88B41701A4B2F179EAFA9D0BBAAC7629EFF2D1E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028265Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:33.936{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8967B2E257352AB959EA6035346BF613,SHA256=1B22EC4E0E0EE8321E281137661C13C02DA74AD915C4221A4331310B359DD080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:33.878{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42AB04FB7AAFB05DCB5AA55643CE7102,SHA256=D40847951815CDE0D1D7C464E5E9DE92B92BC6C69347C726844B7247A3AB1B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:33.547{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1WN61CHW5A\System.Windows.Forms.ni.dll.auxMD5=F6C231606A7F2DD887BFA24437925F26,SHA256=9A5409CD669694C142B59861B4C92B3F90AFBD4046E46888C8EA80D99826B199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:33.547{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1WN61CHW5A\System.Windows.Forms.ni.dllMD5=431FC5E8180083E6FA1E00FF64B88ADE,SHA256=4FB1BA0C6AA024526594B04095FD9179A547D1C44053360A99CD463D11D3916D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.894{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC7BB7E0F826C91F1F0DD0DE528D03C,SHA256=5D15D18A119741FCD96B21987A2E3E6ADF3B031551604A4334E1F17FCE34E1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.309{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2250KRECTB\System.Drawing.ni.dll.auxMD5=DCEFC8B9CB7245B90F2A6AA4084A0F71,SHA256=3760AFB996B9C1860A13167C3DA5FD6B019EE185076145A71387745DC8DA24A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.309{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2250KRECTB\System.Drawing.ni.dllMD5=E8956B039DFD94E1EDBD129DE56F3F2D,SHA256=1DAC647C4642EB0A13A5135BCAF254A30E477CD5DF6BD7DF978F2065CAF5BFE2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.178{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1XUIY9CJL0\System.Core.ni.dll.auxMD5=9D25DB6F29813D2D1FA827D77A12D1BD,SHA256=829105ADBF1A5F782DF9E98B29CD106AE1D27988D05B162A5702069C31282417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.178{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\1XUIY9CJL0\System.Core.ni.dllMD5=2FF381DDFCDD26492D228199E5348106,SHA256=381EBF60EC44E82FE34BAC17A1856C95E766E9260604747F71547133C1C550C2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.929{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92519565F436B59FD551D0212A41AC14,SHA256=4E037617542DAE87F0603D047FB1008CB9A83E8CD7CCFA9E4F38BE7D5DFA7D86,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028267Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:33.101{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028266Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:35.045{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667FEFECD5932E726C1CDBC715AF7249,SHA256=5C6A2EAFEE934E7D32466DFCA78754FD3FF019CB65719D3A2480F895D43D9AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.893{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2HPT45PVI7\System.Drawing.ni.dll.auxMD5=6C52FA11480271A7CA24597B93F7BB04,SHA256=61F5983290D91AB3DF009F8C874FA8FE2746C9AB30195650831EE3035CB71CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.893{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2HPT45PVI7\System.Drawing.ni.dllMD5=C0CD3B953E9ADDA2C2CA1B521CAC444A,SHA256=792530B90A2559951E4A2DBECBE5B4B3FDC08CB4140A89FC252E49C9FD342359,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.778{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2G2Y49NC2J\System.Configuration.Install.ni.dll.auxMD5=08DAC8470A6071A6F9D300CCECE11FDC,SHA256=F21F4F9BD5BEBE704971BBC058A01C007211FABC2BF86E2BDFF504394E89A5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.778{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\2G2Y49NC2J\System.Configuration.Install.ni.dllMD5=6CEF29BBBE3A64E8EDA58C8614B58316,SHA256=D6B4C973DAA83DB08F6D1013643F3A287BE92A3DF7629A06421EA2370B126C58,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.778{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\27Y7R3T92H\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.778{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\27Y7R3T92H\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.093{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\22WTK6S38H\System.Web.ni.dll.auxMD5=FD01F2FC3BB9C77DE65D7FE41BB7E3FA,SHA256=176DC7D281B5059ACA290E90B90480786F1AC745C1953B30BF63E39B63FCDD3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:35.093{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\22WTK6S38H\System.Web.ni.dllMD5=70FDF94CA68090BFC787A336F54A1F7B,SHA256=5804590DDB304F2DE4AB2E9E48C281FBB1EE09CB9C711DCD5FCE424CBB970636,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000055808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.977{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.977{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.977{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.977{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.977{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.945{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EE6E1E198C740751FEFCACAB98AF31,SHA256=9804C1653C346D3E9192C6DDE8603C4D12110A69F863CCCD99753F52FE3CAD53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028268Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:36.264{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C8FC7D21CED313B1022421964D1B79,SHA256=CCC13CBC7949912319D70E5A5B8E88562DA274883CE11600470DD3F751A33DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.893{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\35M7W2QEE8\System.Security.ni.dll.auxMD5=A8E16B0835C7BA8888173106EDFD7698,SHA256=7D44F7630D8C42C9BCBA5DB5C74B36391E11FC17D4FAF6D26C452C1BD3E359EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.893{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\35M7W2QEE8\System.Security.ni.dllMD5=B92BEE33B09857E5DB60DF34BED170CA,SHA256=C07B57EDCAACD9E9B6CA2340A8DAB75CCF3BE99EDDF063804E73FFB74CDE645D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.877{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RU3KCHH6\System.Core.ni.dll.auxMD5=1D9AC23D3A528EC83A241C675B3BD0BA,SHA256=2DB7B57944D8B43359DE41CBDA59DA1228B2D57A86AF3B323F402CA87F457F08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.877{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RU3KCHH6\System.Core.ni.dllMD5=E7D8816D0A6FA8D8748E1BAE0B4A6875,SHA256=A0D3EA7A34C4EAEF847DD511D3BFE0E783EEF75A63A6FEFCD03C2F6B9AAE4F68,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.408{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RCXYVBGB\System.Core.ni.dll.auxMD5=5BC3A9D40323A2B04F4E1902734E283C,SHA256=CFF89802D8AC21E1BCDB723259BCB27CC029712A021861269F65FB5551CBF55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:36.408{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\32RCXYVBGB\System.Core.ni.dllMD5=849D0AA44BCEBD9D08A5FCD6C4880A59,SHA256=B34E567DCB7A031BD7B4F35B6DB317203674C0CF030AA7492E0937D3A31AE861,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.961{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA5058D51BA2BF19A5687368979B6E9,SHA256=03495E15EF773AC84CC0AE413DCC3F3B7952009A6A2ED28CB2EDF485F7F1A038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028269Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:37.389{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632AC0E35D976C267A8370607C91A0FD,SHA256=C9DCE9E255D1FDC10CF4E45A90FD2032207807D76876140157457C46FC3AC8AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.761{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\45O1CVQW9C\System.Numerics.ni.dll.auxMD5=B112B901DBE457D5C44431DEF8018CE7,SHA256=E8A9B868DAAA55B69C61BE12D2C8D3EA8BB1F99EB970230BB6A867B65586B41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.761{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\45O1CVQW9C\System.Numerics.ni.dllMD5=3C15EEC6D52A4674FE204A7E3610D46E,SHA256=95EBC4E4BF44CE09D29EC4505D7B8548DA661278D4DF53F887CC357557F45A80,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.761{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3ZIZF1QT8S\System.Core.ni.dll.auxMD5=857C3C633078A0FF327EC1F905FAE10D,SHA256=31B50CA26261C58BCF0E35A0BFE7B4B13E7FD05F7DA3C20DFCA4E7C85C169ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.761{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3ZIZF1QT8S\System.Core.ni.dllMD5=45F542E6DDC2861FF2D6E1C16E05A4E1,SHA256=162BC0CC8560FAEC6AF395BE24D66124DF49F6FD8F21FA90A445BE4F34BC931B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.376{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3YC0J5TJBN\System.DirectoryServices.ni.dll.auxMD5=5BE283A9E68591B32773566F147A211F,SHA256=83CFFD1BAEA158353574578F2145C054F207526C8E544F114652C4EF01713BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.361{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3YC0J5TJBN\System.DirectoryServices.ni.dllMD5=8CE05080E8212D45575DB5EC52382363,SHA256=B2960982ADB25974561E8356470B1234CDEC00F5FDBAFDC39F221B37F914433E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.329{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3SN3JHS6KB\System.DirectoryServices.ni.dll.auxMD5=6E2FE7A4355DAE72B2A560B93997D344,SHA256=39C8A0903E4C7697FCA69012253AA0A79981CCC8C8C3C53C097A9C753233643D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.329{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3SN3JHS6KB\System.DirectoryServices.ni.dllMD5=CDCED7F4E698C3DE8142E81A1A46A9AB,SHA256=6DC7DB265A13AA4C6A8DFCA621CD76C374D0269564732D7FE0097A9404A0CDF7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.261{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3M6KGO24OM\System.Web.Extensions.ni.dll.auxMD5=EA373B89C0FD4F1EE90998C42C3A4FD2,SHA256=A88BEF9CF305003D6B1E713629F962CE4B81079FF4F665D6F8A59A5C8C2E565E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.261{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3M6KGO24OM\System.Web.Extensions.ni.dllMD5=08FAFE195EAA21633B7E1910E5E5685D,SHA256=3FA1D9C02A067D54B12F7BDC8333C0173B1BB42919BDFD9A76F189F57855FEBC,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000055811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:34.962{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.092{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3CINU4ZU93\System.Web.Extensions.ni.dll.auxMD5=964C12F7EDE4473648291D5C6D52CA5B,SHA256=09CD7BFB8C8470190592716E3BF441DAF0C0EC6DF889077E122A1463BFCEDA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:37.092{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\3CINU4ZU93\System.Web.Extensions.ni.dllMD5=5F68656D96F957624F2094DD871627C3,SHA256=263A84209803C9AF4C4317A5C5FB37BE22885FFC93EF4C906AAF0C627D8EC0FD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028270Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:38.623{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0FAB1AD30C894BA9EC22D18B5E0B9B,SHA256=448A1F19897630B2DD702FD8D3A71D9506B13B6EE200551A932A109EFD72A1E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.991{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FAE896F0E7BE0ED13A4F606CE6B534F,SHA256=F359212F5F729FA0576D4A29CA2844AFEE6F9CB35662760FF25C98D28BD9DEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.960{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4BD2OLDW4N\System.Data.ni.dll.auxMD5=EDB7CB075A217959013CD75CE405CCD2,SHA256=240A71F1AF20552B564ACE0F494BDFFCA2B3982D62D762D1E71E6E1535797972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.960{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4BD2OLDW4N\System.Data.ni.dllMD5=7ABB236413DDD5D4953BB3A2C663E53F,SHA256=D14A3A1F1851D9FD244CBF574F22A3B94B05FBBBC6147381E68F694AD59574E3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.461{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4B8HNLQETZ\System.Drawing.ni.dll.auxMD5=6C52FA11480271A7CA24597B93F7BB04,SHA256=61F5983290D91AB3DF009F8C874FA8FE2746C9AB30195650831EE3035CB71CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.461{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4B8HNLQETZ\System.Drawing.ni.dllMD5=C0CD3B953E9ADDA2C2CA1B521CAC444A,SHA256=792530B90A2559951E4A2DBECBE5B4B3FDC08CB4140A89FC252E49C9FD342359,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.429{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\46ZWMVXHQK\System.Web.ni.dll.auxMD5=4B4864D2BDD3887862604DE92C828002,SHA256=58CC8C85446792E57BD9A8C69881CD5E66A5EA5624DCB0B9704E7C356BE58950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:38.429{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\46ZWMVXHQK\System.Web.ni.dllMD5=B38253FDADDC16D1C0B919A2E89DBD1C,SHA256=270074EFA57847FF994319B6D696A0F1D4AD07564FB1A8D2FDC3BBC28C1AFEFD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028271Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:39.858{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001199C61AF9B83FAD7DE094E875E34D,SHA256=6293C5337FF5A2F77C6145F1E234C34566B5DBC5C8CB9A93E3ABD1B5E36FC60D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:39.644{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4L80Y8S27S\System.Windows.Forms.ni.dll.auxMD5=AB1FCBE377A6A30943BF24192D913F66,SHA256=1E7B1434F1E86E83CBFD081E03FC9AD1452D6EAEF768D18F35F90360F4AC6CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:39.644{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4L80Y8S27S\System.Windows.Forms.ni.dllMD5=DFFF6CA588881F5D87FAE30E754C1D6E,SHA256=B900C0634566D824EB4823FD9AD1CD8C69B65E143978E2F92B6707F9283BBF52,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028273Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:40.920{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D72506D47C8E69F530EC91DF476D0A,SHA256=78D9E7893A325E350DF161737ABF38F46DE9AD343AD1F7BB9E91BEF9579C7A0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028272Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:39.039{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.890{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6POLT6AMCK\System.Xml.ni.dll.auxMD5=C6B8D9FAFDC12F9D667B132D1BD24D04,SHA256=C2FC89CA115F96A788E5EA364A753E2D685A65BFEFE13145B138AE0309D2A99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.874{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6POLT6AMCK\System.Xml.ni.dllMD5=71BC2F8235C4E463DE58A0B06A7CC6E9,SHA256=D311CB68072B7387AF7CBF476708618CFD88A950AA11C17C74D0281AE97DB612,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.475{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6PMTPRCX9S\System.ServiceProcess.ni.dll.auxMD5=3BE355F7C741659AC9143FE240563390,SHA256=53584243F91BEFFE8C60395404133B9E0965D4BAA27412A3CB14C43C99ADE994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.475{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6PMTPRCX9S\System.ServiceProcess.ni.dllMD5=E7DDC2DB27A745FD9B904E90978E7F57,SHA256=A598609D6B4C0BE721FD06140AF13828706CC526845C19CCA7B50B3F7C6F8AB6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.459{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6CGGQDM20N\System.Security.ni.dll.auxMD5=8BA8863BEEC87568AAC3B366897D0D32,SHA256=D0E77250356D5D825C484FEE34BBC25BD06C6D1AECC9292A0E3B3DD14FF4B081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.459{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6CGGQDM20N\System.Security.ni.dllMD5=E050C5A89D23FE6EED7B86C3271787F5,SHA256=1045BCADAF25EAA099C264222B8AB242EC71EF1500EE5C524B2F2D6232D4F3C1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.344{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6C9DNXNCG4\System.Configuration.ni.dll.auxMD5=606A2790C740857716526360BA88602A,SHA256=B15A96066C9F545B826B491504F39A1460EFF5392D80DE4B1F5E75BBC86661D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.344{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6C9DNXNCG4\System.Configuration.ni.dllMD5=934AD64C1561413D426D12F22B82DEF8,SHA256=4446DC25DA1EEA3B37DD99082A3D73CBCD8F334C79A60337C79564416E895C26,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.259{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\634WY9951U\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.259{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\634WY9951U\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.259{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5VCF4Y9RRU\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.259{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5VCF4Y9RRU\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.191{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5BS1TMOGQB\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.191{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5BS1TMOGQB\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.191{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5AHEMKTSFR\System.Configuration.Install.ni.dll.auxMD5=0CBC2C9737233F80F1C8DD57CE1AE88C,SHA256=6E18B2C2DFA32D6F4925D1BBE903FD9049472C36261FEBA8DD59628E8C6A9F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.191{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\5AHEMKTSFR\System.Configuration.Install.ni.dllMD5=2582241664CA944A32E31176A66CF0C6,SHA256=B7C2F435943924E46E604D1D35C1835920CC706BF320D85179E53CA0F84354FF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.092{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\503UQ183RF\System.Transactions.ni.dll.auxMD5=BABAF56BC4E7ED7F5936B9CDA05FB949,SHA256=472049805F257AF427D88C0CC081CA4CF33192FB0418912FDB75CAE1A5D97EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.075{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\503UQ183RF\System.Transactions.ni.dllMD5=0D4D6EFF8A0B941FA83A237F34282E25,SHA256=0B923E73C01D4448E476244603A9B8AF337DCF9342352A2E215EAA6844AA380B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.044{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4XBM0LREMU\System.Core.ni.dll.auxMD5=1D332A2AB96D39725A924B0F7AC5C9E3,SHA256=F7639920830FE768FDE77D0F7AA837CC6A2A620CC2864ABEF06F2D81AE5FF3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.044{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\4XBM0LREMU\System.Core.ni.dllMD5=4F8E92D7B2085AC07167893113B7EE37,SHA256=E5F3FF00F876CB67661B9838A89CBB71C4B5B61AE03D19B6B6020527A58F7691,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.007{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D795B4BC69EB97F1282046C9EE67BE49,SHA256=8153AE4F350A8648A69C6370EF67AAF26E2F634CBE01B034C0639A81D8960705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.959{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7D1S6WJRIJ\System.Web.ni.dll.auxMD5=0F3C7B662FBC079F29C3EF02690771DF,SHA256=FA432BD61A221C689873F7123B62039D1CA3CA2DA09E90F87CA1C939F3FAE4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.959{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7D1S6WJRIJ\System.Web.ni.dllMD5=8E96EC1FB2ED02BAACD1964616C6C37B,SHA256=9EEE12F5A918A691006264A2479B713E832CC7DD8F292F6F65D8BFEC3C6F0130,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.306{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6Y3OKT3QPY\System.ni.dll.auxMD5=E5FCD42C7D3662F69C906AEC226AF5B8,SHA256=48129DC1F2155ECD4BAEBCFB148120DA8AADD6520BE1BCE9D3B59DCF651906E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.306{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\6Y3OKT3QPY\System.ni.dllMD5=F2D17CA8803D8FF69D707964F3EE292F,SHA256=C7D8AFBFB161B83E2211721336DAB1E6C3FD5F5C0E973C8152063FD1AFB89E16,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.106{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C494019A6EF675F9C4AD8B706D1C4AD7,SHA256=83098E334EDE4436BEFF0ADC0420EC95054080D7C6D2A06FCFD9F1EA16E9A824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.106{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15D14C3C79621C9197BE2FFE4D624D1A,SHA256=AFB2FB62D30CBA868D7DC94669F98D2E727D07E3B59E3F7C0ABF865E4C669C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:41.028{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2657BB1B702C997E6CE65DFE4F6D585E,SHA256=C81BE2E3124BAA1546CD5614434A45C18D68BA5DCD4A3DEA0C912330EA6CABC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028274Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:42.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93740D876DA7D5E73B5B5E78DF6C3D6D,SHA256=E7910FB3CADD77E38C5A3114901D3301622D5D34315DEEE14C4C226AB6CCD824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:42.932{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7GTLY186Q3\PresentationFramework.ni.dll.auxMD5=47D8164F6B5704DE03EE18C8BD6B1507,SHA256=0AA5F90BD35E835B70F375A5E5A4D7BB5E8FCD38BA34BA17F1F4B24598044389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:42.931{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7GTLY186Q3\PresentationFramework.ni.dllMD5=6FF3D4E13A7F80E99CF8C87B2E2EA61E,SHA256=4B5DEC8E153D241755C9B804B32DC41D865A93F1D12A59533E07574524A528B6,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000055861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:40.077{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:42.044{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A848681270CC5F515E57CD955BF8540,SHA256=5AC4795189F99B236000AF48A41DDD294810EABDF0EBAFE9A1A578564AA980CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028275Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:43.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9597C113D155F34300D6509817C07A,SHA256=F5EF31DA226976324C72A2852C557BE2C4F8EBF721CA08FF5A03124845662D47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.725{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000055868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.725{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.725{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF7a2ae7.TMPMD5=2DE96C38AC19CBB56DF927E82878F75C,SHA256=5CEC70471600143C4863C1E77335843719B091EA0804DF0C6ED4CDA3308966EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.546{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7K6F2KWFLK\System.Core.ni.dll.auxMD5=34557D491F925C33B9579E2AE5BD4017,SHA256=AD30F4DA8CFDDF64D38E65145696AF7233CD5ABA10C244B882ABAFB770D7E608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.546{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\7K6F2KWFLK\System.Core.ni.dllMD5=19160F5E64B830DD9B54C49057A68163,SHA256=F18AEDE0C9B8E6ADA6BF9FCBD86239712F1C420E1BAEF0FF02339F2F15F8BB81,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:43.047{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90BF6D0A2541B87E9590C3926588A527,SHA256=E1189AB2662D088B7D4A9DA57B2D9C41EA98E932098DC66930DD3F7E43D5C571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028276Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:44.155{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F161A78748F4CBFEAFE1E2B7430991D9,SHA256=008BA1EB3BF74208FC8BFCF2A3A5551BED15FFC6920BA61B4FD8239A92CAB0A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:44.246{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8CW0TLLI6C\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:44.246{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8CW0TLLI6C\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:44.062{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D7698DEB5217B1B96DCA32CEC63880,SHA256=F92EE7E2D5D8249FB64BAD2C3B24F16CAAE46D180641A1DAA3B5C6E404B01AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028278Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:45.389{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5070C097D9DF6F74816C7BCC9407B4C,SHA256=246E9CD10305B12522A960AE4F1B55187319930A422D230D92D1E81803EE0C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.753{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\96CHNE9KEV\System.Xml.ni.dll.auxMD5=3A2FF34743BE9234A2C896E3C7A8EA0E,SHA256=1F1647BAB2A25AF7215FCDC9C03F88D0A2CB1EAA1E61CEB6288D28B69E59D546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.738{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\96CHNE9KEV\System.Xml.ni.dllMD5=4BEBFFC9DAFC484D7BDA244385B9518C,SHA256=0B08FD59C9CF52A30AE65B34CD40378B906A1169456709207CA365A5783DBCD7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.454{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8YSMTK89XY\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.438{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8YSMTK89XY\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.391{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8WWG4NYYD0\System.Management.ni.dll.auxMD5=C01ECF7E635ACE095C407D20F703DED5,SHA256=8FAF355B875FE7A537D651283A77C77B5A95982427C0D520A99268846EFDFD84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.375{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8WWG4NYYD0\System.Management.ni.dllMD5=F1A2535A0424F3F86C727E007F7A6F03,SHA256=8429E3661DD8E26425E938C735597BB4545AAE73AC1EA8A6490140A4D9CB6AFA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.366{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8U1UQETKXN\System.Numerics.ni.dll.auxMD5=B112B901DBE457D5C44431DEF8018CE7,SHA256=E8A9B868DAAA55B69C61BE12D2C8D3EA8BB1F99EB970230BB6A867B65586B41D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.365{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8U1UQETKXN\System.Numerics.ni.dllMD5=3C15EEC6D52A4674FE204A7E3610D46E,SHA256=95EBC4E4BF44CE09D29EC4505D7B8548DA661278D4DF53F887CC357557F45A80,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.360{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8JIPYYTGS7\PresentationFramework.ni.dll.auxMD5=5AC47BDFF85309943EFE3B48015AE6CC,SHA256=B954B0424A3B86859EDEB4E1844EAA13FED43EDC3E64022F93D28850E174AF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.358{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\8JIPYYTGS7\PresentationFramework.ni.dllMD5=8C13DC1C231C74434BE8B18DD5D86480,SHA256=1E1471068E3390B52D4DEA0BBF6532C3CD4FF8B396835933FBEDC7B9ADBE11B4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.077{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAF1853872E75EBAA33D0530821968A,SHA256=393FA9F7F7B42C14248EAF7D50DC9363499520CEEA00C702AC1B579F3FA226B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028277Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:44.133{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028279Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:46.624{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D078BD791502B524D6330033E03D104B,SHA256=C45B4AAA3EE61C832B96A779C9B2DE5E3D546566865767D8D16ADA025910FFBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:46.306{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9CX24I1PAE\System.ni.dll.auxMD5=5EDEB7CB71D6AFF9F7615368262F0EDB,SHA256=A2F1D764B84B3222C7E77D8A9BB17EB369BEBA8DC915B549647C7D1331644E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:46.306{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9CX24I1PAE\System.ni.dllMD5=CE8C60E7028F27055C4A6C327FA97113,SHA256=4A235FCBCAC5F3713DF6A2BC0636A0FE5F12CA49B3CA2DD18034902FD4C129C0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:46.090{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA80FFC0D528200BD610B3632F1BA706,SHA256=6337ED9D9D11F858A5157CB8066C33C6AA071BA6558D97CC25B4412BD7EFD25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028280Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:47.639{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B43AD020E06A4779CDC66A48D70C3E,SHA256=2022E9EEB629CC6B8C8BF25736FF8D0491959215058A5C2DE650A1382A3D9DA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:45.173{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.289{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9Y9I29WN2V\System.DirectoryServices.ni.dll.auxMD5=8451615FB68C5792747E6B9F17CA39FB,SHA256=F36CB4DA58C61B9521D0B82E1AF455BC583B717FA5D13195E5D3E465B4745764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.273{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9Y9I29WN2V\System.DirectoryServices.ni.dllMD5=C2B7030570684F5C7BAF333C9C6DB4B5,SHA256=1C938CA0C98F20F6200B9EEBD2895CE9CA98DD6500A25B734C0D5D7442CDC641,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.152{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9IY6J183BS\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.152{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9IY6J183BS\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.105{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ILKVTSEI7\System.Security.ni.dll.auxMD5=BC3DDDB5F07C162D92B2037E6880680C,SHA256=4B74A1D3FF9277CA53DCF8D3541DADA05ED4A1B570F67D2B7C45957DF366448F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.105{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE8179F4F98ACB1359F92C2CC487C14,SHA256=ABA944F6368A237F82F0559482E065CD2FE7BAA91AC41E33113A66386F86D754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.105{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ILKVTSEI7\System.Security.ni.dllMD5=87E23D848DCDA15E4AB088D7471A99D2,SHA256=55FE1EAC63C9A18285EB2C4CF0CCF1FC54C4DDBE4AC3A5E661889E7C22AEF598,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.036{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9E7FE8BE9W\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:47.036{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9E7FE8BE9W\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028281Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:48.874{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61BF22FFA30AC5046D81BE594A41B4E,SHA256=6D205CF4EB34D1D102E992E3E9D86325782509D8369C07710ED0812144173C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.851{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AARSWFE6RE\System.Xml.ni.dll.auxMD5=C6B8D9FAFDC12F9D667B132D1BD24D04,SHA256=C2FC89CA115F96A788E5EA364A753E2D685A65BFEFE13145B138AE0309D2A99C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.851{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AARSWFE6RE\System.Xml.ni.dllMD5=71BC2F8235C4E463DE58A0B06A7CC6E9,SHA256=D311CB68072B7387AF7CBF476708618CFD88A950AA11C17C74D0281AE97DB612,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AAJJT00YQC\System.DirectoryServices.ni.dll.auxMD5=C868E3CE49BA0E024BA044791DD8B901,SHA256=019CED5A20050041A0B1C6A7259A71BC867DF0A952D36A451E86472359A39D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AAJJT00YQC\System.DirectoryServices.ni.dllMD5=950230DF069FC31756D6F15EE8C95D84,SHA256=951D336C2A06FAE7FF8B42CE8F293B2A226DD338A2C36A233CFDD55C05FDA763,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.436{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A7YUES1U1S\System.Configuration.ni.dll.auxMD5=0056AAE6263694AECA005FB9F4CFB72D,SHA256=12D06CC2F2616FC7265D9C9E30DCA481DC24D79EA4442FFA9B0DF6BD5BD0086C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.436{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A7YUES1U1S\System.Configuration.ni.dllMD5=25EBFB35A3C0117023CBE947C69E27B5,SHA256=D9139DCB06B272BD35568F6C1496B1323311CF71BED1E7979CEC3D6B63287C73,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.289{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1LJGPPVH3\System.Numerics.ni.dll.auxMD5=5CC4A69861ADC3DC96AB2ACD2D9149CA,SHA256=8841D1CD4ABC260B2B0EE69E209E0F06023FE3C6D9D50A65510BDD29676904F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.289{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1LJGPPVH3\System.Numerics.ni.dllMD5=47D30AB50B1102E8FFEE9922F95C588B,SHA256=1FE316D9EADB703A05165965739493B8826C19A7C084EC53B50502A3231970F1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.273{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1150KSMAP\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.273{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\A1150KSMAP\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.205{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ZPZ8SRZBF\System.Numerics.ni.dll.auxMD5=4554DB58691601FBD376774956021AD0,SHA256=C97E662629BE150ADEDC669040A735BF6BE5C8F4DC6B1007F4F041A1E4CC2969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.205{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9ZPZ8SRZBF\System.Numerics.ni.dllMD5=277A874D3C7FAF514D476913C562779E,SHA256=B0EBBA50E089358BBE363BB14DE6D80AB1F92F52C30C8FE13BC4358C8BB252B1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.152{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9YME0DIJZO\System.ni.dll.auxMD5=9651A4D69D091A91F7509B493895084C,SHA256=7F97FFC6DBCF14DEF386747D99B2204F6C0BE9C123F585888BF0BC23B424155B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.152{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\9YME0DIJZO\System.ni.dllMD5=0D511A145E1BEFBF8048E4958B18EF8C,SHA256=5B4E622B50F3659A09BC10F7047FB5AECD568565E358232DBD8B85B615F42FB0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:48.121{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48796ABF915121587F7FAD83B6706C0B,SHA256=430A6EF6EACBD2B96F603F2068930D141D103952B5423E8CE58D394AB255CD15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:49.921{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AJR4CNNP1H\System.Drawing.ni.dll.auxMD5=69DDCED53EB62AD5F23BABFB8BA6D163,SHA256=C5164F9DAFB6224D0280E449DA8D85EE507145BA79652D1C0E5994B86E4903F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:49.921{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AJR4CNNP1H\System.Drawing.ni.dllMD5=2C489C8D4AF62D27FD4C18640F69CF5A,SHA256=09FDE2E93271A1BAD108E78FF0AD6662086D86D4095ED412E7064C9C50EC0117,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:49.836{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AIYX3MQ2PH\System.ServiceModel.ni.dll.auxMD5=BC5B8E9098BCB0FBD5B0BB3F67D6FA39,SHA256=EBC59D5A5922EAA498E84B02C3F7179FC2CBABDB24D64995DDC1D46FFB0939A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:49.836{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\AIYX3MQ2PH\System.ServiceModel.ni.dllMD5=17015EDD211E2B3F88EA4398394359C3,SHA256=9DB2318A0C2A57C66DA61C7D698A02480B64D635E332EEBD9CE461F7F65B4476,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:49.135{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64891AD5D7C2D600C7A284A0C3FBE5F9,SHA256=866804C0045209F97300DAA61C00B872213A989ED72C724CE3C20A970774BBE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028282Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:50.108{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A92CA3ABF6D4AE71619E8987C12674C9,SHA256=8190D2A4B6B1C75AA4B0393DCD423EC70F0314EDC40F12A0B5D9899464C648D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.985{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B3Q0WSI9WO\System.Windows.Forms.ni.dll.auxMD5=D446BDCD7E3BFA151BD38417CA52BBB4,SHA256=DC1794960B5836EC691C2DC58B068E76C8FE07B8A1293373ED30ED08A02887B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.982{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B3Q0WSI9WO\System.Windows.Forms.ni.dllMD5=EBA141EB6870A5CE8F381C7423130E8C,SHA256=60BF35B16E89046C8D5D49C3FE8D73AF63226FA1A4C865B96EE067035A3C21A8,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000055925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56EE-60F5-F908-00000000E501}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-56EE-60F5-F908-00000000E501}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.735{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56EE-60F5-F908-00000000E501}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.736{43EB4363-56EE-60F5-F908-00000000E501}7984C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:50.136{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322CBFC59E90D98260C1D58BF839B0AA,SHA256=D03588BF3AA1C7AEA82D474D3A303F1A8E3E7950D31FF0A35FEE9A674B6E6C4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028284Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:50.149{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028283Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:51.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4345294BD12E05F800A3EAF5EDD1D2D,SHA256=4B87AAA2DA72E790CA8405897F0138B1E3F2D5188B3B906CCF37EB6EF350D841,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56EF-60F5-FB08-00000000E501}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-56EF-60F5-FB08-00000000E501}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.887{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56EF-60F5-FB08-00000000E501}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.888{43EB4363-56EF-60F5-FB08-00000000E501}8128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.740{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A7E56732A1904F4B148FF21F2AC25B5,SHA256=4EB91E9651C7831A730FD29545719E5983C2C605FCE1CF86D918F9927CB6E22C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.740{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0544CE2CCCAB0F9AD44A9C6092D618C7,SHA256=DCA10843B2ABACB85D856BCBD421B43789D0B29E74A1469D15C7086F06E04141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.625{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B5ZN0CRY12\System.Xml.ni.dll.auxMD5=3EC54DEE44368C49379AC078874C7D69,SHA256=57BB02ECC01EC1AA52BCC116D735901E137A77E9943552D01B2E6493AF320307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.625{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\B5ZN0CRY12\System.Xml.ni.dllMD5=D0E98E24CEAD9C2E25CFA692EC9250E5,SHA256=8A4926A4947088F44C02986196531D0D409F46A3D45974B17CA0A33EB0857457,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000055937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.556{43EB4363-56EF-60F5-FA08-00000000E501}80848080C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56EF-60F5-FA08-00000000E501}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-56EF-60F5-FA08-00000000E501}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.303{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56EF-60F5-FA08-00000000E501}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.304{43EB4363-56EF-60F5-FA08-00000000E501}8084C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000055928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.140{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA427ECB0EEAAA7E999C7BF7C0629FF,SHA256=D168B07C4ED993E1F3E3CF3EB3C2C3B3D33E2852ED9384FB432E394E3D3BE5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028285Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:52.311{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C05273469F7288EAC6805D859F807BC,SHA256=085A23BC4F6C7835062B0F5C035930845B9027D39A8F67A94E34BF35157792B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.902{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A7E56732A1904F4B148FF21F2AC25B5,SHA256=4EB91E9651C7831A730FD29545719E5983C2C605FCE1CF86D918F9927CB6E22C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.870{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.870{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.870{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.870{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.870{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.802{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BE7ZHF1NHM\System.ServiceModel.ni.dll.auxMD5=E3B93DB9969E47579EF3CD308AD6F525,SHA256=57D5CB25CAA75CD1DE2F24CF07C558C8EAC60FBA70B71B5ADDA6CF3EBFF051F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.802{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BE7ZHF1NHM\System.ServiceModel.ni.dllMD5=FE7C04F63CBEA73272C0FF5DE1E67B31,SHA256=16280704304C7361CCDB7C088C00D94F72CF2B83E18186D96029EF12C8CBE1A1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000055950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:52.155{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E040CF0DB0C07BC96BAA408926051C,SHA256=992CB45FF278FAD198F7B88E635D1B53AB5C47B5748D8B6605C8D714BB439A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028286Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:53.546{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B8865308F370E63F679559646E397E9,SHA256=9E71729499491E25D266B891627CBB55B7A51A381061241B361E7F8C9B307CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.926{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=648B95E67D96FEAEB3503C406EC2554A,SHA256=65683C42B3A63420220DA505BA94F2EE4EB63D7B5CE07245801B78C0839F0811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.925{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C494019A6EF675F9C4AD8B706D1C4AD7,SHA256=83098E334EDE4436BEFF0ADC0420EC95054080D7C6D2A06FCFD9F1EA16E9A824,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000055983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:51.074{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000055982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.508{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BG859LY4JA\System.ni.dll.auxMD5=C4730B6A55D190A4DBF04E66F071626C,SHA256=6CC8AF52FD8F807A5DB3DEA7FE2FDE042772BB6BF401E70438FDC785170742FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000055981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.507{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BG859LY4JA\System.ni.dllMD5=00248C9DAA0CD4F85D375CDF673D8581,SHA256=67D7D7935E525B620FB235CAB6565AC7A0C42D0013C03BAE6FB7301B7B5DE71C,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000055980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.435{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.433{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000055978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.403{43EB4363-37A7-60F5-1600-00000000E501}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\TMP50A9.tmpMD5=062256C5466024FDB2539E33454451BD,SHA256=FE80A2AC0793D186C8C8CC213131C2751493F6C3EDE18D5DAE70F03460ED7D01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.372{43EB4363-37A7-60F5-1400-00000000E501}11004336C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.240{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.225{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.225{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.225{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-37A2-60F5-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000055972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.171{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961731E131B2085B294E457D72D4716D,SHA256=8E2449252C70C8EDDEF4C12C0AA7444FFBB3DBF045D7C9E9BFF885C5D8F07663,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000055971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.071{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.071{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.071{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.071{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.024{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-56F1-60F5-FD08-00000000E501}8180C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.023{43EB4363-55C1-60F5-7208-00000000E501}45564356C:\Windows\system32\csrss.exe{43EB4363-56F1-60F5-FD08-00000000E501}8180C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.019{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.019{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.018{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.018{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.018{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-56F1-60F5-FD08-00000000E501}8180C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.018{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-56F1-60F5-FD08-00000000E501}8180C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.011{43EB4363-56F1-60F5-FD08-00000000E501}8180C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{43EB4363-37A6-60F5-0C00-00000000E501}828C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000028287Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:54.780{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0F14ECBEFF7D0BD6521FB6F459EAF4E,SHA256=A4724E708F0BA6F27BF6BA7C1FE6CC901D6EBA02CD97F27B9BB9C9FD0734945B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.942{43EB4363-56F2-60F5-FF08-00000000E501}73567352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.889{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVEF6A5NPX\System.Configuration.ni.dll.auxMD5=3748821F7E7DB1DD92C4C5575D6B6964,SHA256=9B707027DB2E45E9A550952164290F845AABB230B7E79A8231FA735944A87FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.889{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVEF6A5NPX\System.Configuration.ni.dllMD5=AAE590481F01707BA3682F70184D1048,SHA256=B012C15153EB2B47FE2EFD7D13B689E342ED5DDD9D9EE55E59FC68D927193736,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.874{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVCGLHZC07\System.Xml.ni.dll.auxMD5=9E8273197F9A02B9A721032C9C46FE6C,SHA256=AC968645F5D30BF892E8CD366F36A8DF8B40B65FD7940D3F24C1EEDCE414AEDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.874{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BVCGLHZC07\System.Xml.ni.dllMD5=5323B8A12366F102A9AFAFEE81B107AB,SHA256=5EACFEB8E0B0C4F166DBFF9B5116A4A371C6652F451A310F30133D1D8680CEE0,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000056013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56F2-60F5-FF08-00000000E501}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-56F2-60F5-FF08-00000000E501}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.705{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56F2-60F5-FF08-00000000E501}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.706{43EB4363-56F2-60F5-FF08-00000000E501}7356C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000056005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.191{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local50104- 23542300x800000000000000056004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.622{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BUKVN9YJPN\PresentationFramework.ni.dll.auxMD5=6B885B68C6B0ECCBB2E89A4D73DF63C3,SHA256=D6BB1EE81B79CB0C8DD4C8B39704859B055B9C056478043C924D695876543007,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.606{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BUKVN9YJPN\PresentationFramework.ni.dllMD5=E5E779E851434195EAF586B414E1AB14,SHA256=453BD0B221BFBE7C7C19FD48797DC174A231A8489E5E2A60C82D72F6637CB1BC,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000056002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.474{43EB4363-56F2-60F5-FE08-00000000E501}26527348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.426{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8C423BBC9FFFBA6888CAB5FE0D03669,SHA256=A588E93660DE6D168124CC34032593D83F49C797DFD04C78531CDF7923536D05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.165{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65056-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 354300x800000000000000055999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.165{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65056-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 10341000x800000000000000055998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56F2-60F5-FE08-00000000E501}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-56F2-60F5-FE08-00000000E501}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000055994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000055992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.206{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56F2-60F5-FE08-00000000E501}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000055991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.207{43EB4363-56F2-60F5-FE08-00000000E501}2652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000055990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.064{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-876.attackrange.local65055-false10.0.1.14win-dc-876.attackrange.local389ldap 354300x800000000000000055989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.064{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65055-false10.0.1.14win-dc-876.attackrange.local389ldap 354300x800000000000000055988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.046{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65054-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000055987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.046{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65054-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 23542300x800000000000000055986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:54.059{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCF7FEAC633C09271BBB44B11955377C,SHA256=7A0A9D2E20B7A487107CD437978F99704D1DBAE2EAD3127FAAF323FFFAED2D1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.857{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C0TCGUWA79\System.DirectoryServices.ni.dll.auxMD5=2BEEB7989E153026455A91546700FDA5,SHA256=63A95441B52371EEE7EAE9605B312F82B498BC927E85C516C19984D5B629AE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.857{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C0TCGUWA79\System.DirectoryServices.ni.dllMD5=04A28498B7718E00A2FAA9797FCE2F17,SHA256=47C6A18965FDCE1FA4609406A47B48F689D0B3828CCBF3A73A70B55A3AEB04D1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.804{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BXY70745SW\System.Numerics.ni.dll.auxMD5=6D550B69BDC7D89EC2E3554A3DDB4667,SHA256=7CF8E63A66C6685A48A43466D8842DE966699265AF5DDA14CF5EE7EA2398B019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.804{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BXY70745SW\System.Numerics.ni.dllMD5=AF5901179DD8427F1BCE805FC1C60542,SHA256=976A8BC3D65758BF022E26BC0F8BEC1B908D58665A99B6DB45FD5004809E16C5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.757{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BWHTE99QJC\System.Windows.Forms.ni.dll.auxMD5=0057D8C02F52278E2D88E0C434C9FB67,SHA256=C3E4ED40898F69A430845210C1C1F6F46FB3382B871EC2264963243B4CEA8BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.757{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\BWHTE99QJC\System.Windows.Forms.ni.dllMD5=309216E457DECA1FDDFB036BF6ABA05F,SHA256=59A0802383424FB2D07728867DA0A79D6657E2380406D998BCF2630A7966AE38,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.576{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65058-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000056022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.576{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65058-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000056021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:53.217{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65057-false20.54.89.106-443https 23542300x800000000000000056020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.557{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5FD571F80F045557E264D98256F184A,SHA256=4D99F0D2DAD2856E1321DF470A586D5D5155C6D0CF82F77A0279611AFCFA2BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.226{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB4BEE1DCFD4BC4AC860039A4D2AAEE4,SHA256=407396649F3F8D561C1847426BD75AFBA2AFDE713F6C89FD21D15CBB0F15A6E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028301Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.811{53AF6CEB-56F3-60F5-ED05-00000000E601}33722468C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028300Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F3-60F5-ED05-00000000E601}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028299Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028298Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028297Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028296Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028295Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028294Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028293Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028292Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028291Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028290Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-56F3-60F5-ED05-00000000E601}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028289Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F3-60F5-ED05-00000000E601}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028288Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.671{53AF6CEB-56F3-60F5-ED05-00000000E601}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.825{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56F4-60F5-0109-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.824{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.824{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.823{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.823{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.823{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-56F4-60F5-0109-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.823{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56F4-60F5-0109-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.822{43EB4363-56F4-60F5-0109-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.520{43EB4363-56F4-60F5-0009-00000000E501}74247460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.288{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C7PHD2QTO0\System.Web.Extensions.ni.dll.auxMD5=3387DD5DFBE5A69E658A1287F3C08628,SHA256=EB1B324EF21E4D9A1DADA4D9A4F519C76D1C862CA16E11725BA97420CFDF6D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.288{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C7PHD2QTO0\System.Web.Extensions.ni.dllMD5=C11869C1D2B9720BECE21325C4F88BED,SHA256=01E2262DC5D082948478B80C22833216555622B5D23040996F3A9A5AE4E956BC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.241{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FA278E34D5845F7D0E74BD12162FBD0,SHA256=4D4769CC2ACDC870E8CBCDFD0DBBD795E7293F133556D3B616D7461422C21305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028317Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.905{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87FAE14FC118013FE7F6B8A4CBBD7E52,SHA256=C7D38016F396BA6715E2237DCFA6167F3CE8D3D3795B2EB7C343F3430506563D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028316Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.905{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=032DB3A84DBC189BDFBD9392159C6ACD,SHA256=D06D34AC9575BAAE1D71130C95CBB8C0BD0C05AB9FB4AB27F5ABC1BE721E7527,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028315Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F4-60F5-EE05-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028314Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028313Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028312Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028311Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028310Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028309Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028308Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028307Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028306Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028305Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-56F4-60F5-EE05-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028304Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.342{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F4-60F5-EE05-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028303Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.343{53AF6CEB-56F4-60F5-EE05-00000000E601}1232C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028302Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:55.999{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4E9B7E509371816E0059B31E7E5FEE,SHA256=EB386FD1F57800575789EAA4F9CFD0B73E7FBFA5AAF92D79B1EE2902221162FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-56F4-60F5-0009-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-56F4-60F5-0009-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-56F4-60F5-0009-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.204{43EB4363-56F4-60F5-0009-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.172{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C76HWU6JFT\System.Configuration.ni.dll.auxMD5=0726536434B1F4CFF6E32E5A04A405E4,SHA256=CA81014EA85BB7A87C6D421D4492658D1ED3693C5E81E194FC9A55A56916500D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.172{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C76HWU6JFT\System.Configuration.ni.dllMD5=7847E113AF6ED71691FA241B2F092C61,SHA256=B54E3F593F0379C5B679C200EA5BEF842BD6B69EC88E49F89297CAA66E04E7A6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C4N70GKTFI\System.Configuration.Install.ni.dll.auxMD5=20FF2F0A0D70F5CFEFDC3CAE5854BFC7,SHA256=03A72C9FDF9596376C7B0E4584A822D01BC8F7EF5AE4C8E5748E79665383DB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C4N70GKTFI\System.Configuration.Install.ni.dllMD5=BA7270337571525AA0F643C2A10B5BF6,SHA256=E8419C27066C1F18E6B97F3E082D170E3F05683D625CD191F4CF3AEF691D5852,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C2HK51K4M7\System.Management.ni.dll.auxMD5=616FFBD02D10F157448EFABE441FF022,SHA256=4BE5225D3C62FBF39F40FCB7DD918B1385D4F9F241EDE312FA7ED87385911F15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C2HK51K4M7\System.Management.ni.dllMD5=2EE900B41105DC12B81C9BB8227A3F93,SHA256=95D205DF219148F9871702FCA45AF8400CD3C370ECF4834726698B58938E8187,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000028345Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F5-60F5-F005-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028344Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028343Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028342Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028341Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028340Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028339Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028338Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028337Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028336Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028335Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-56F5-60F5-F005-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028334Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.936{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F5-60F5-F005-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028333Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.937{53AF6CEB-56F5-60F5-F005-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028332Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.086{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028331Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F5-60F5-EF05-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028330Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028329Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028328Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028327Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028326Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028325Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028324Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028323Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028322Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028321Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-56F5-60F5-EF05-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028320Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.014{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F5-60F5-EF05-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028319Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:57.015{53AF6CEB-56F5-60F5-EF05-00000000E601}1948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028318Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:56.999{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F840B057EE2D523DAD3716D8B3A054B4,SHA256=CAAEE0DE10B131AA524179904636925F83B5AEBF086229C38D5E3093B44AECCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:55.553{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local52199- 23542300x800000000000000056075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.602{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D8R9OZT8IA\System.Xml.ni.dll.auxMD5=D139F7C46452B340FA1AAB6824F0ADAA,SHA256=D890E796CBA8EDC709F63D916746F2F00C90562CDCC1E36D8310CC15CF0C63B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.602{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D8R9OZT8IA\System.Xml.ni.dllMD5=1D4B0B23D6D67D7249959F4C1C9BE816,SHA256=5FE8862C6007516E2BD43E2801E1BDB58B91ED8E29D744F6B37363C313FA747F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=BDC5400462053540C03593328D39BDB6,SHA256=F7A3AC38BC48533AEFBE8EECD33D7C2FD99DBA0F3B0D826BDFC1635DEB39E852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=0D836C2B351708826587F17283E32830,SHA256=641E3D33D5196CAC0B66C541C284424B7AC5C08D21D07A88D3F79B8AEEC7E645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=122707CB53DF323470FC9B73872A3A47,SHA256=66C1B244CCAF928F1467DAEC880295D877C549B800A570574C4AF6AD1D73E99F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=035D181B20FCDA027C57E12C8084185D,SHA256=3642E2C6D54E3EBAD6048E3E9D21A4161EF134B220D68972E8C8EE62D4470572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=60B4B0A5016002759D6A7063D7845435,SHA256=43DAA5BB0E237480BEF2D7F8388EC4C901B90C58911817D8727E0269FE62D124,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.487{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=597FEBC87D25053BC2C292CB724E2978,SHA256=7583CD679D342E46D3326D435CE36C51127728D02A78212B628AF7A2130FAE1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.287{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AA747CC7F01E7E9AF158D4401B0DE0,SHA256=3A4CFC36ABDD7F61B869CE0409FB9D314F454D702B1617E8796CEFE2DD4246CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.287{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F11893631EA5DD2560B15C29D83A9057,SHA256=83B760D4C1409386344C41E660B055B6BD4010A47196411E13943F9E9BC15560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.255{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D2S9RPSSNJ\Microsoft.CSharp.ni.dll.auxMD5=F6FB7708778B24569079915A980A250B,SHA256=BB455BE0C6696DEAC54DFBFD3F9A2EB92EC6BB926F83B3BF861306D6CF64F6B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.255{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D2S9RPSSNJ\Microsoft.CSharp.ni.dllMD5=48AA9752C04C314A19620753925A436D,SHA256=F212554A016D8C679B6A819D79BE0D9292A6A8A63141E4C84F69F50CEBA6174B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.140{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\COJRNMA6KY\System.ServiceProcess.ni.dll.auxMD5=3BE355F7C741659AC9143FE240563390,SHA256=53584243F91BEFFE8C60395404133B9E0965D4BAA27412A3CB14C43C99ADE994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.140{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\COJRNMA6KY\System.ServiceProcess.ni.dllMD5=E7DDC2DB27A745FD9B904E90978E7F57,SHA256=A598609D6B4C0BE721FD06140AF13828706CC526845C19CCA7B50B3F7C6F8AB6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.124{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CENXN2KILP\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.124{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CENXN2KILP\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.087{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CB35XAA0GR\System.Configuration.ni.dll.auxMD5=CDBF47C48FE3C43FA6FDFFC27E7BF502,SHA256=97E156C1F3781604ACACB6E3BCEE094F94B0322FAE5CBE336C46763CCCAB3459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.087{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\CB35XAA0GR\System.Configuration.ni.dllMD5=D3E5AF2CE2FD8C43D74F414B7A63E66F,SHA256=5A239C00CEE27D28EB600819739E67F051F8D96AA44094DB453034062461A935,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.019{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C9VNGI8112\PresentationFramework.ni.dll.auxMD5=E52B8B92200A182613A6D465C8002B70,SHA256=F474210BE1FEE708AE79D9263C73FF92C511B644F04430988D9A0E430AE6491B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:57.003{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\C9VNGI8112\PresentationFramework.ni.dllMD5=9C68AC0EBB9EBD1A36DDB3459C2AEF6A,SHA256=E3858BC89A5E129F3661AE6CCEF8F10A4BBD6A83A2AD2E623AEBA49413795171,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000028361Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F6-60F5-F105-00000000E601}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028360Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028359Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028358Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028357Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028356Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028355Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028354Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028353Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028352Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028351Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-56F6-60F5-F105-00000000E601}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028350Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.967{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F6-60F5-F105-00000000E601}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028349Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.968{53AF6CEB-56F6-60F5-F105-00000000E601}2040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028348Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.436{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87FAE14FC118013FE7F6B8A4CBBD7E52,SHA256=C7D38016F396BA6715E2237DCFA6167F3CE8D3D3795B2EB7C343F3430506563D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028347Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.436{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50C5C59C16F170214D76748A50FB9C5D,SHA256=3F95CE6485613001B374F2FF1837CAD7F71794AC1BBE4DC8B875C101B539B798,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028346Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:58.171{53AF6CEB-56F5-60F5-F005-00000000E601}2628584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.855{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EAYU1JY9XH\System.Data.ni.dll.auxMD5=5CC55A1FB0ED0B2E4990B312C4B725FE,SHA256=E4F07260DA1EDD653B5722AD4A712DB0C80D31B1FF8D5BFA1E84C9C9EBD19604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.855{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EAYU1JY9XH\System.Data.ni.dllMD5=917B1F2CBE25C534CE4664A904F7190E,SHA256=6380182C7F6247A0367F455C729212CEF38C5889E7D510AD2DBB52AF8A4C4621,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:56.175{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.371{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EABENLFM6M\System.DirectoryServices.ni.dll.auxMD5=3F78814829D895D032A8BD034ACE4450,SHA256=A2410DA4E27BDAB67B07FAA49D57B73FAFD6C9DABBEBB8331FF6EE5CA5FFFA6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.371{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EABENLFM6M\System.DirectoryServices.ni.dllMD5=1F105E423E686DDFAD34327F2AF3859B,SHA256=0874D66BCBCEAD079A9FCFCAFEE49B361520D911054D0AB30933CE1E42178235,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.324{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D025BFAEA81082EE1BCCE4D672FAECDC,SHA256=28EE3C21A48BB94F9F02BF94436F751E1E3E7A80F1BB22BCD62D516C3172FBFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.324{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=633B29D5E21B55501039CEE9177A81ED,SHA256=8961F335E7C2FCBAD047FF22E5F51ACDFAC6E49B3C6F67EA8BEE707928A9E964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.320{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DQ0CTC4XJA\System.Management.ni.dll.auxMD5=254EF8FA44D2C6C2AD30F0C72E5FEA4A,SHA256=2091BB513D8D335CDA0E9879BDCE2623ADB6DFA2EB4DA62A22A611D750AE0289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.302{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DQ0CTC4XJA\System.Management.ni.dllMD5=1D3FD15AB1501C7E7C5C71E84216E0FB,SHA256=CA07A2DF2BC440D714F53F4F9DA622C0797587E77677C1A9C4B6B01BE01E07ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.302{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5D9D723E836343DDFDEC2F50D6568D,SHA256=BDA2E619838ADDFBE3FC68BC135F9276601D853D548FFBB86BCD586F2485791A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.224{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DKA1IUKHFB\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.224{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DKA1IUKHFB\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.171{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DFL33BDURP\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.171{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DFL33BDURP\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.040{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DF4KZD5CX5\System.ServiceProcess.ni.dll.auxMD5=FB48CBD15429C7B1F9A14E82CDF8B24D,SHA256=E11D297738EB6EFD68E74B919FC25F124C6CC4AE3E1C7595BB224BF4567C30FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.040{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DF4KZD5CX5\System.ServiceProcess.ni.dllMD5=52E1C1642839FB780CD29C337867C549,SHA256=5823F6CC6549B5FE1FDFF03DCF1B95DFAFDE9D381C04D3C8F5BDCC636A053E54,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.002{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DCA6J3LQZZ\System.Configuration.Install.ni.dll.auxMD5=22196DA6CAA793E0616864B9E8E06643,SHA256=86EFE97B8AA4DF629552A36B9B701A6CD96D95EE747F1BA761E6A5A0843BF33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.002{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\DCA6J3LQZZ\System.Configuration.Install.ni.dllMD5=01A04115F66EDC890D89E9961D365FE4,SHA256=FA2900C83867BCB722E6481BB9070C704EF1D68ED20252F7D1EB3B6DAA320439,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.002{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D98CT5T0HL\System.ni.dll.auxMD5=D1633EB12C3BA6976EC07A4F63B7C5D2,SHA256=FA5EA8271FEEF900EBBA55412AEC8CFE63AB04812C2277AB6C43A89807631658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:58.002{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\D98CT5T0HL\System.ni.dllMD5=E6629F608804427DCE9CA7252AA92C23,SHA256=B6699D00ACE64600A90372DFA28089254BE1430D11AA8906B8E7B8C7884E0CBA,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000028377Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.764{53AF6CEB-56F7-60F5-F205-00000000E601}25441048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028376Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F7-60F5-F205-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028375Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028374Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028373Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028372Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028371Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028370Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028369Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028368Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028367Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028366Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-56F7-60F5-F205-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028365Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.577{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F7-60F5-F205-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028364Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.579{53AF6CEB-56F7-60F5-F205-00000000E601}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028363Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.358{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764512460DFB4A1E0265E3FF5CEC178F,SHA256=B365503A1C43245685C07FDFE0BE6DCEF038B0F3D8297BCDFB8103296DBA29E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.954{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EHOK4E7N9M\System.ni.dll.auxMD5=3DF95B0C71238F8146AA10A2DAD2FF34,SHA256=37835EDC93EF2E6E5A3DCCEB99509FE5DBFB049D835C64B2D74B792024156EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.938{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EHOK4E7N9M\System.ni.dllMD5=88C9F3A6A000DB567901CC188925D7C0,SHA256=5E1C43C87ACA9EEB778AC9BF91CBB976049A472F3AE41BAA6F82E498803796B8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.339{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EBF8CB91434800D2CFC5DB71EA0E2B2,SHA256=32CB84FEEACE38D9FE2DE8CE2081A150F5F3129453C16A803B729EFD4DDB209F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.339{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=648B95E67D96FEAEB3503C406EC2554A,SHA256=65683C42B3A63420220DA505BA94F2EE4EB63D7B5CE07245801B78C0839F0811,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.323{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBC7AB94FCAA9F18234164C54399A2F,SHA256=E2DC1F2FFF720803F6884D35A8596B73F80388CE149C203D7BEAE22B1E618380,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028362Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:41:59.139{53AF6CEB-56F6-60F5-F105-00000000E601}20401624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.270{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EEXH79HD8Y\System.Core.ni.dll.auxMD5=9D25DB6F29813D2D1FA827D77A12D1BD,SHA256=829105ADBF1A5F782DF9E98B29CD106AE1D27988D05B162A5702069C31282417,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:41:59.270{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EEXH79HD8Y\System.Core.ni.dllMD5=2FF381DDFCDD26492D228199E5348106,SHA256=381EBF60EC44E82FE34BAC17A1856C95E766E9260604747F71547133C1C550C2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028379Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:00.592{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B9956D67477F25228ED9EACEB5C090,SHA256=3C2F63C740D9CB2D7F90C39FE8E092CD46C94693E5DE62C2E726665561C33FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.785{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ETLOCP7CIU\System.Management.ni.dll.auxMD5=A1123A272EA45D0BE152C0EEBD6784E2,SHA256=5B0E627B5F7CFC5A685543302698C7882E396403C78E13DE7A7443221A86F536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.785{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ETLOCP7CIU\System.Management.ni.dllMD5=1EE419429DFC6FD092EA7828ED535BFB,SHA256=66C905BB59A36F4F0D862B6C9C7125C212BCD31DC12821EEB4B7B72994CAA787,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.669{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ESD5USV53U\System.IO.Compression.FileSystem.ni.dll.auxMD5=F4A1A9F448D8081CE864ACA2BE6078F0,SHA256=AA8B0EB7C8260304C5F8FEEEFD3711382ABEB7B49BDC2A7836E30B95601C7130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.669{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ESD5USV53U\System.IO.Compression.FileSystem.ni.dllMD5=4D09B7B8869461AE2CE6EF317D352683,SHA256=979C8FB3B516F86588AF859C6985EE6EBF9A829F1E7CCB723908FECD08B6C98D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.669{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EMT96RIEL3\System.Numerics.ni.dll.auxMD5=8C8F36DCBC0AB4F29DC79D33D9CD7240,SHA256=48D6097F83178C3905EC2BCDA01C80CFFB1A832CB1F0BF5F08E510C86D6F9215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.669{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EMT96RIEL3\System.Numerics.ni.dllMD5=845E361BD51C969466956F80361DE179,SHA256=1BFFC23BB5882DA343969E12ABE4FC89BBC0EC41D9C30E7DDBCA7ACF250A2752,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.654{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EIJ3YY2MF2\System.ni.dll.auxMD5=8AA30EF5A6FFA51F166D232C8B76A3CF,SHA256=CF2BEA95501884BCC9E3BE072E7006CE2316CE0C086748105EB2216B8512721C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.654{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EIJ3YY2MF2\System.ni.dllMD5=355F6BCC3F1F0142682CAE2AE9AD5128,SHA256=04A3A69D1F5E94F84A13485DE67472FAE17746F6D655E051C378723343B734FF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:00.353{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70D74BC282D75E68A261E5A09319AEB,SHA256=13E9F48238AACC4921467F5257D9197A15391E1738E258F4429A49D39521B0E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028378Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:00.014{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFCF4EF1DF7319221FC1031B9A65A06D,SHA256=A6A54D17955B5CAEE43E927330A425BE6CC053E10D893BB479BF90B1B9D1318F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028393Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.608{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A124B39AD349A85BCCDB0EAA2B0022F4,SHA256=7D75AD2D24E999AA7282B0B44559F8DF1A5E020067D51325EA90CC79E817795E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.469{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZQS3Z3PKI\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.469{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZQS3Z3PKI\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.400{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZG4G5DGOJ\WindowsBase.ni.dll.auxMD5=CE451180C26759B1028E3A902C17F85E,SHA256=5AC69F8930094C256A2A4CA5A979682EABBA3BC3AB7DD7F8C2844ED726B91AD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.400{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EZG4G5DGOJ\WindowsBase.ni.dllMD5=BD60B125B9BEF727540A7D61965BAA66,SHA256=A7053DEFC3CF04D3182513BA4E94DA8400513083D146E6FBC67B3E6A213B7137,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.384{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEC65DA5610A856EBE75B0F6ED3BDBE9,SHA256=26BFF16E681C4C4DA9133AA89CF0E4126C5313F0B9BD665B0BA8F384275258FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028392Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-56F9-60F5-F305-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028391Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028390Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028389Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028388Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028387Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028386Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028385Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028384Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028383Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028382Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-56F9-60F5-F305-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028381Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.530{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-56F9-60F5-F305-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028380Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.531{53AF6CEB-56F9-60F5-F305-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.137{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EXPS2KV3DT\System.Core.ni.dll.auxMD5=9D050BEFC0EDCA0AC4ABF20376FA0FE5,SHA256=DA8CA881AB535F16D75059E1A0BD90FC8602D4549C17EBBED9870D7CFF6B6CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:01.137{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\EXPS2KV3DT\System.Core.ni.dllMD5=2041735ACCF4A0D44DDE0F13495434C0,SHA256=E12DF0280703B65BC806F70DC05590E33A48732C852ACF4D8A738F9D625218A1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028395Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:02.623{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5248F850F87B0E532B3D838632C03CD2,SHA256=3A5B8F930B72A52ABE51E111B9E8AA38ED7A3012BD3B8A18FCDAFD1DBA43A064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.742{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FHHQ0ESAVS\System.ni.dll.auxMD5=9490A0ABB2089EBF5A6F7BF0A440EEEA,SHA256=4DD6040BEC62D7345DF7DF72F5BC47EA54EFA90A596E821F7782EB013EB8AE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.742{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FHHQ0ESAVS\System.ni.dllMD5=9C448122BC27C4FD17BF7C73FBEEFC60,SHA256=AC872337EE92B3C8190F63286B2F6D4FCF32FDB39BDF99C88816F6439FD2428B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.589{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F9LKXV5EN8\System.ni.dll.auxMD5=5B314DACE0CD48E791031B93EFEBB413,SHA256=5D2290D3508F6D1F4FE644AAC53333AFFB5F08F3EDBECFF6B39B3A4AFAB3B6C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.589{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F9LKXV5EN8\System.ni.dllMD5=CFEAD2F9FBBBC856CC066EDF87EACCD6,SHA256=C7594D5B6C3886ABC31EA390BDEAAE0753669682020DCE90F51B0209E9649048,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.390{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3595B315DE595854D7CA63ED0B2EAC,SHA256=0EE38FD30512B7813E8AF48FBD6119D17BAF930137C98B30249CA85E7334845C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028394Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:02.608{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B8ED171F8E7A2F9C0685FFD60109622,SHA256=D13AE7FC079BF351E61BAAA08A6C86077B9A7E9FA24B849FA8B18C447443F0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.027{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F1R0DZWR68\System.ni.dll.auxMD5=83A798F75378B58F303737DDEA2A82DA,SHA256=5298F68DF0A59A3273E50A7379FFC8130F7A59630FDB9708C5599AEEED598B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.027{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\F1R0DZWR68\System.ni.dllMD5=7BF417CEFA7114803F9790E7F77CFE53,SHA256=BCFAC92FEE902A98C44D030324FC9DC31524AD816184D660C26EA48C910E0783,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028396Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:03.639{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A721EFB95DD66B37A4EF0DFAF13D9BB4,SHA256=425BD98490500DE06846F51F42C717E890A551FC2CF465DFB459CA2A2C018AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.641{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FVG9I175L6\System.Xml.ni.dll.auxMD5=8095866932D116E9C54CB06A279A8C87,SHA256=ED3F11FAC5D38FB2CDD797B3031E7D49EFB7BD44DBF9355ABABA43B82CA46466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.641{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FVG9I175L6\System.Xml.ni.dllMD5=016FE7AF94AF0BFB824D63F6B0688E43,SHA256=AE20EA6C343733690F1BB9B5963AEA624FFB3B86FAC697FA4C16A753363B291C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.424{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B563F43ED18276823757A4AA427D33C5,SHA256=9A1A7CA39FA3B0D0B3F817F0BEAE479953C7D71AA7CCA7E6375148F42B2161A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.188{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FOGJRDHHJ8\System.Configuration.Install.ni.dll.auxMD5=DFEE9A07D29D011E5C90B8528DA018EA,SHA256=4D719B04BC17977086E3C97ED6DDE6D64193831715F3671EDBB40F39E3684887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.188{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FOGJRDHHJ8\System.Configuration.Install.ni.dllMD5=FDAA71B0FD121959A938C6CE35450216,SHA256=0D969086369893119F98A8FA80E3A2CF52CE193BBB4C617BC777FDEF295AC069,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.172{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FKBOD29XUR\System.Security.ni.dll.auxMD5=8BA8863BEEC87568AAC3B366897D0D32,SHA256=D0E77250356D5D825C484FEE34BBC25BD06C6D1AECC9292A0E3B3DD14FF4B081,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.172{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FKBOD29XUR\System.Security.ni.dllMD5=E050C5A89D23FE6EED7B86C3271787F5,SHA256=1045BCADAF25EAA099C264222B8AB242EC71EF1500EE5C524B2F2D6232D4F3C1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.157{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FK8KVELJLD\System.Data.ni.dll.auxMD5=9A6ECBF9E54407755BC7A46CC31C1903,SHA256=AB66C7611BE08DAACE1216C27356E58F5FBA629E0D55564BB48C68566CA7DAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.157{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FK8KVELJLD\System.Data.ni.dllMD5=C803FD0E8E41B8E4D88B5A805756F020,SHA256=6F56D02E25E27523A86510764F1EA2827AECD9BF4B1B7385CCD2F24940FB4718,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:03.041{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EBF8CB91434800D2CFC5DB71EA0E2B2,SHA256=32CB84FEEACE38D9FE2DE8CE2081A150F5F3129453C16A803B729EFD4DDB209F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028398Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:04.873{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871E3AB1CABF243274EEEB6F66C80B9B,SHA256=EEEBB1DCEBBBE29B939C85BBAD1995CC14A0E487A9C406DE095CF60356650266,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.987{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G13O28JG3B\System.Transactions.ni.dll.auxMD5=0D6387AC9B68EE76DD1AE4111FEB0842,SHA256=F87542DCD5903BA1C034524739A790E9D3B1B336B227F243592B34110620F13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.987{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G13O28JG3B\System.Transactions.ni.dllMD5=847A385B1E0000FE8E4F31BFD457AEA4,SHA256=70ABFFB679617A8B62208F4BD26F1DAC0C5ADF6FD62EB9C81BE6A249613E340C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.971{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD96376F35C0D47B58E1E92D12678AD1,SHA256=0373584F998CF24BFB40EDCDB74518DF3606A99A01C5FDDB9E9F30DCE8C87D7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.971{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CF5708D625F71E6A15D064D114A0188,SHA256=138D3033504FF5BDF44E6726013F92BF604AA5023A65A1B4527CE88805B86A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.940{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FY65QPL515\System.Web.ni.dll.auxMD5=19FB3A849C52671A5AB8AB8EFABC318A,SHA256=799F28D0CC5031F28563E4C53CCF7B1B088589E6908C1961EA9ECB296B368AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.902{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FY65QPL515\System.Web.ni.dllMD5=0EA90B6E8B779F335E221C1AB127E1F7,SHA256=7F19FC08816DA636C530A17A011AEB221A83A8785ECA95E3530458B296F79C66,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.671{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1AB293798880BD11C921040330C36FCD,SHA256=B8643ED675E7777CA9DDD235FB724F2DCE76C2AFCC412D4AD43FB23CCBD92D85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.571{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.456{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9EA8D3570BEF3DAD3624DA85A64C5D,SHA256=79E4322BDFB8334C796722BBD0126E5DA5A5437E0A71F85CC846127822885C7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028397Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:01.977{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.256{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FW9MK8UIY5\System.Data.ni.dll.auxMD5=2AB656FB5268C785EF923D3EE5459128,SHA256=C0A8E0011E3037F316B88BED6DF66543AAB3B178F62A39F6070B5670248F67F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.256{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\FW9MK8UIY5\System.Data.ni.dllMD5=93CE7584E855F6AFBB0E78492FD58849,SHA256=8091F64043891CCB2D0FDC3FA0B9670D53F3444C7B6250340DE846628448DFA0,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:02.091{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65060-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:05.488{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E398511A7FA480E0CFFBD63C951D90E,SHA256=27B0CAE4CCE9982053C49CE4E14920FC82CF07223094B7B012C3327D50AD4993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.502{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED65C8B3C314062368525563FC221432,SHA256=89B499490397C151A9A5F42B3848C743861C2332A22CEC16A93859B2FAD6C0CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028399Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:06.092{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AA55020005CD68702C46BE8F15AC4E,SHA256=9C49069EA3195414CF931273E515F345F9AD9DA211C84FCFB9DC952190460E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.455{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\H6GX73S4CQ\ReachFramework.ni.dll.auxMD5=8E0B5273E15B0F56E9333938DF76CA3E,SHA256=4F360EF24EA7F0823D897C9611EADD08300C981C161C1B36AD8CEE21CED8EA41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.455{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\H6GX73S4CQ\ReachFramework.ni.dllMD5=E069FAA5ED61AE659FFF54862D342EAF,SHA256=51516AF2F20913DCE266088B51C10A25A23950B680553277955B6DA6C62D8001,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.340{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GXZFSB4FLE\System.Configuration.ni.dll.auxMD5=EA64890856D84601CF0F15F8F925876E,SHA256=BC3CBF89983AF4F608D30A0FA34FB62C3F716BF7B77DAF65A806DD567D4EEA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.340{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GXZFSB4FLE\System.Configuration.ni.dllMD5=7C4B6B49CBB1C3DBAA853BD4E51B378B,SHA256=91DE196C16599FE3164E02F877E74D5F2526AC8C0B8DFDDD3A07D072654E8E98,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.324{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GW3Z3ACCXR\System.Web.Extensions.ni.dll.auxMD5=47F23732071CE372B9243110B56A1313,SHA256=7F15665D9BB1AE85C095B19115B0C67B3A4EB52758FE0ECBDC13C288723E79ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.324{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GW3Z3ACCXR\System.Web.Extensions.ni.dllMD5=33ABBACBEBD570DF9FC4774D00275EA4,SHA256=378ED5CA79D9890DEFA965E9591B916A35B60E1B8D7EB39CC9D4E88FDB6FD52E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.156{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GGTS06TXPC\System.Management.ni.dll.auxMD5=C1BFBA62286B37FE0040708E215BF84E,SHA256=03F8237BF012F6F2808F96D34F1F239C6853F03E0260BB8CEC7971ECB0B3BC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.156{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\GGTS06TXPC\System.Management.ni.dllMD5=3C5C4EC7108C741BC98B0C4DDD57674E,SHA256=9D2273BEADA4D0C7D2CE64B81771586505790835694F2984E7BBE37F0BAAEC05,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.140{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G7Z8TQPLC6\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.140{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G7Z8TQPLC6\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.124{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G1SDECW2WW\System.Web.ni.dll.auxMD5=9A94D56493D66174C9A37E6EF2C17EB5,SHA256=FC910E7B67FB2A4152E62DD5331172171DBF204E9378834C9614E4E30F8511AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:06.124{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\G1SDECW2WW\System.Web.ni.dllMD5=58C687EE63E997153029284E45B3E091,SHA256=3A8601672FF13A34D8B297B144322BA802EAECE4DD3146096F9C9BC54F9BCC4C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:07.520{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606C6BD0D07E70EDE380903BC9FC30BE,SHA256=B12ADC880B85C9D79AD7ABE98D5B5BC57DF29CAF9F0612C4DC8A4921577E1B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028400Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:07.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B59949AE58D4B5898C8C5F1663BD08,SHA256=A06ED6DBFD95275D7C6401BB4686C0E669EBE6138FC5036DC0765F04D36E7C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:07.439{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HGDQMPXGQ7\System.Web.ni.dll.auxMD5=F70CFE77E87F55A4FB36DAB40447C16E,SHA256=C4FBD72EABC752EDB93372AADFEF11DAAA4BD9299569721BD28D962590520BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:07.439{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HGDQMPXGQ7\System.Web.ni.dllMD5=F79C500CAC32075017619FD8994AE0F4,SHA256=21CE1E3E0ED6F59044FA08BE14CE93325A1AB45F1E334B7233718A455BFA4637,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:04.505{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000056172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.553{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C06CDA45A056D5D43E9CAD1FF5CE7F4,SHA256=2998BA0D6F366673C7DE32551CDC509989F754E6A3BAE107320317470EC2C42E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028402Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:07.008{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028401Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:08.155{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBE7A4A282D83B84B1E4626AECEBAFC,SHA256=D740F02F9E22849F590D5E8ADEF5419817995E4C7125368D7B95F44275A7D452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.500{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HYL1KLWVXE\System.ni.dll.auxMD5=FD6DE591D3545BD3186DE631F46BB80B,SHA256=D9B496E22C03C6FE99055B4F3BE41057867B2190F6032B0E7B386988E37046C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.500{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HYL1KLWVXE\System.ni.dllMD5=94AE45817D7A11DB2165BC6DF4997AD3,SHA256=45879B1C723A5AE6F9577A9BC99A145C15487C5CD4FF456EEDBCC87403041C9A,IMPHASH=00000000000000000000000000000000truetrue 13241300x800000000000000056169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:42:08.322{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 23542300x800000000000000056168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.085{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HOKOV5H7CS\System.Windows.Forms.ni.dll.auxMD5=52BD50ED4F47D2E2F29961EE0EFE38D1,SHA256=4805A52F8ED7EF89DC686E2DCC6B06E6CE63E763917F8B1AB9012712243523C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.085{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\HOKOV5H7CS\System.Windows.Forms.ni.dllMD5=4B85DF10FF589C916B17F5D590D44713,SHA256=696E3043EC7372A00BC16ADBD6A77EC067A177538A498EFE96BE7549B2A264EE,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:08.034{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.584{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C0577252BD53C584A8C2848F38D839,SHA256=9C3C5ACCA631D61034F9B876161879132D75F57FC51477F8D51275E31BDFFDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028403Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:09.170{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EB69A1FD06F73DBB19F20282B0B06C1,SHA256=85B59B2386D4293CD3A0FC0816E6177BE972C821C975C4DE23045E6FE57968B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.499{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55FD-60F5-AE08-00000000E501}6676C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.499{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F5-60F5-AC08-00000000E501}1144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.499{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-AB08-00000000E501}6836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.499{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-AA08-00000000E501}5952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.499{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-A908-00000000E501}5940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.484{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I0ZG5LI9D8\PresentationFramework.ni.dll.auxMD5=5D398136B7EF718AEDDC2B292F49FA7E,SHA256=DA7E0528132F730C1206B617B914AC2DEF37E27A63759CEE6CDF56EC61E54650,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.468{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I0ZG5LI9D8\PresentationFramework.ni.dllMD5=78D04F023FC7CE7C0509605E674FB7EA,SHA256=35B483E27DF57BD7F2025E69EFC2C721C552C158D7D1DCB8398CF7DE3ECE8DA7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.820{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4ZC1WO7UV\Microsoft.CSharp.ni.dll.auxMD5=DD0CEB4EA439E19B10174EF6765C98E1,SHA256=75AE3D143A5C54005FD62BDD0961B822893FA6950D9511F46D3F0FBA167B910E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.819{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4ZC1WO7UV\Microsoft.CSharp.ni.dllMD5=B532D8EE87DC58C1B47163040764B56F,SHA256=D21ED6A4DE422B51B01FB33ABE0B8A7E05ECB33DE3565C080BC7F36531BA0ED3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.720{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4EZ579ZE9\System.Data.ni.dll.auxMD5=DF0F1C0FA81E796AC70A2D94A073E9CC,SHA256=0845B10F66BEDD2065E719081C9D63342AA232BF92EA04790F2F4B5CAD7C0E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.720{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I4EZ579ZE9\System.Data.ni.dllMD5=3EE0E72D8E3B1539DC08D97CEEA7108A,SHA256=255AC27EC0628CD1C208742807B816562D279688C1DA873A889FB54230281B6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.698{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B341434D562C66376375EA6C98CFBE9,SHA256=EC9C64258DF4E12276C71E803568EA2EA893F29EDD44D7C456AC572B503B0E2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028404Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:10.280{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0C318534444AA95C61D33FEF794924,SHA256=25684ECF1E9B3B466D37EE5755D374B91C86C4B94EE1ACF4EFC44CAF166AC442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.052{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I36AMTGQTY\System.Core.ni.dll.auxMD5=0FBFE5BF85572E5EAF926378B1D5A6CD,SHA256=365F134ED4CC28065A185B62435A5E607FC545BF4555821AF933C4BF882EEC27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:10.052{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\I36AMTGQTY\System.Core.ni.dllMD5=B2E70F3704B5B64DC37B04E4C1C9CB25,SHA256=E91FFA95C7EABAFFCA0D419C77925EDD1D4F7901C520B962CAC5FBF4547830C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:09.999{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.967{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFZ4XBDHAS\System.ni.dll.auxMD5=EDC52D59BDF2DFBB195AE6DD2A938270,SHA256=ED816F3F4B2D458DDAC0306AFA5B9D2C080734BC035126054DF76141F90910C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.967{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFZ4XBDHAS\System.ni.dllMD5=D71B052A790A577400CB572A7D4CB69B,SHA256=DE2BE5C6691862A5223BDFEFEE00F33FB6C7A5B2F6DC68124E44EB42D8D3B709,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.851{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=51200E2EF70A8BF856B7887503C11084,SHA256=5C921D6858A6204FED777175B11D2557F02021C0783AF31794B002536F92EDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.851{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F0F5879455CC1355965C4B1017824873,SHA256=1E6F427E20D1266D130135236543645C6ECEBFB3FE506A6CB71620795EAE580A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.718{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA87885CFF64C4A5CB4964D9BC6B66E,SHA256=A8A2FACD1A39E307744BE02FE1695169DB6DBB63FE65715C77820B6ECEE672C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028405Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:11.498{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3309531BFFA0C8BDB8474B74101F80,SHA256=B0A56F6E6F2F70525613D2FF05D3CF0695C80766A6A9F467381D68600232C519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.367{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFIZWTS6QK\System.ServiceProcess.ni.dll.auxMD5=5F1B10CF85EC7771100106A8D294DE9A,SHA256=C39E9DA9D01E465D0018CD0F38C4679CA99D3D2DE577B40FADE4BBD70AAEB914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.367{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFIZWTS6QK\System.ServiceProcess.ni.dllMD5=B5478080DC0565883D13ED0AEB88AE0D,SHA256=7133B1C2FE4870AB945EFDC8A8846A7C8F3F50F9C86784C3B9E0EF0CCBE62418,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.352{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFE8ASBLJ1\System.Core.ni.dll.auxMD5=870A3297397BA0FE7218B9C05CCD1E5E,SHA256=1EB4BF3E6FB4775A6F7AEE5392F452B0E673B4F5C6E539E2C40414946C7BDEFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:11.352{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IFE8ASBLJ1\System.Core.ni.dllMD5=8326A23004BDB577F7A7127273214004,SHA256=F00785989931F0C8E944A6A8DD2D28F4F623EF4B9CDCBFDA3C1ADE17FDF1D9F8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:12.735{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDAAB8F7E5D6B00217E2BE12446AE60,SHA256=12895FE40743BA8BCAE26B13CB9AEB25C1B1AEF6E04AFAD57FD1E584B258A5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028406Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:12.733{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25EBD5946EF954C052898074D0757AC,SHA256=CA8D98FFD047FF715AC13E26EBC179B75598D01FBB256C5465F6C885B53D811C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:12.336{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGF1HM5791\System.Xml.ni.dll.auxMD5=1D30F3B92D5134B2A30A5F0DE1C91264,SHA256=E0F0F10CD976EFE6069FBD50986EB409295BB110D1848EB1C721DB525CA03F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:12.336{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGF1HM5791\System.Xml.ni.dllMD5=D7943DFED3B022B1D45A86E115CA587A,SHA256=0CC48205999BBF650571D739A7CCD2436528FA0DBE507E46F61D53028F5246CE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028407Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:13.967{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D8EFD8EA69595DA15E93ACF6695686,SHA256=CCAD43BC8A9A3CB86A216E143EA9C5262E5AE2E3ED2B107E2CD7FCDDE4B43B23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.736{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=132946CDDF25FA241AA78C676E1D8349,SHA256=7FA2CFD9CCE036D39EAB9BAB8E26FB2584290C561510987EE290FBB6DB74B62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.683{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ILWKXVRXJC\Microsoft.CSharp.ni.dll.auxMD5=DD0CEB4EA439E19B10174EF6765C98E1,SHA256=75AE3D143A5C54005FD62BDD0961B822893FA6950D9511F46D3F0FBA167B910E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.683{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ILWKXVRXJC\Microsoft.CSharp.ni.dllMD5=B532D8EE87DC58C1B47163040764B56F,SHA256=D21ED6A4DE422B51B01FB33ABE0B8A7E05ECB33DE3565C080BC7F36531BA0ED3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.652{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IKXY32A1W2\System.Configuration.Install.ni.dll.auxMD5=08DAC8470A6071A6F9D300CCECE11FDC,SHA256=F21F4F9BD5BEBE704971BBC058A01C007211FABC2BF86E2BDFF504394E89A5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.652{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IKXY32A1W2\System.Configuration.Install.ni.dllMD5=6CEF29BBBE3A64E8EDA58C8614B58316,SHA256=D6B4C973DAA83DB08F6D1013643F3A287BE92A3DF7629A06421EA2370B126C58,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.637{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IK5PEOTIH1\System.Numerics.ni.dll.auxMD5=6D550B69BDC7D89EC2E3554A3DDB4667,SHA256=7CF8E63A66C6685A48A43466D8842DE966699265AF5DDA14CF5EE7EA2398B019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.637{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IK5PEOTIH1\System.Numerics.ni.dllMD5=AF5901179DD8427F1BCE805FC1C60542,SHA256=976A8BC3D65758BF022E26BC0F8BEC1B908D58665A99B6DB45FD5004809E16C5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.637{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IHRTXUCXB7\System.Core.ni.dll.auxMD5=34557D491F925C33B9579E2AE5BD4017,SHA256=AD30F4DA8CFDDF64D38E65145696AF7233CD5ABA10C244B882ABAFB770D7E608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.637{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IHRTXUCXB7\System.Core.ni.dllMD5=19160F5E64B830DD9B54C49057A68163,SHA256=F18AEDE0C9B8E6ADA6BF9FCBD86239712F1C420E1BAEF0FF02339F2F15F8BB81,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.139{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGNWWS1ZB4\System.Windows.Forms.ni.dll.auxMD5=D446BDCD7E3BFA151BD38417CA52BBB4,SHA256=DC1794960B5836EC691C2DC58B068E76C8FE07B8A1293373ED30ED08A02887B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.139{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IGNWWS1ZB4\System.Windows.Forms.ni.dllMD5=EBA141EB6870A5CE8F381C7423130E8C,SHA256=60BF35B16E89046C8D5D49C3FE8D73AF63226FA1A4C865B96EE067035A3C21A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.938{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J36I8I01GY\System.ServiceProcess.ni.dll.auxMD5=7F30D62C40ECEBE959AB7FB13D9CACB6,SHA256=F563890C1B347670F0A4C7D48375B329C4D6D5668656AB34D431CF54BDC84959,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.938{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J36I8I01GY\System.ServiceProcess.ni.dllMD5=6DA4DEFCCDD3303D217F37080B3C82F2,SHA256=5848262A5DF18EEDA336B5BCB85B1E4544E04A99B0D79AD3E249CB0F4AF89CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.922{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J28YD181DN\System.Web.Extensions.ni.dll.auxMD5=C347F922A9553D718BBCAEEE3869876C,SHA256=722410E5968780B9E761CF0DD4EB88AE0ECFDFDD4108B53D86E537B6EA9C8737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.922{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\J28YD181DN\System.Web.Extensions.ni.dllMD5=77ED9EDEB0747952D3B1A7B6E67D01E3,SHA256=9307F45BFEF69DEF67D5F1B21A7EE2B9DC6B8721A33329220F5038C01A3B0A8C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.738{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0247DD26A61E925460D58A6FE02B0EF4,SHA256=D23F93335D19FA21DBC81C28F64424D67382D655D842C9C2D234A1E50C56EC8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028408Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:12.977{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.685{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IWZPZAJL13\System.Management.ni.dll.auxMD5=01E8C031085FF8BBB38DD53F01924384,SHA256=3C5FAA30091A95257E80AC41FD202AFCB16ECDF79580A88B7BFC05ECF44F2FE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.685{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IWZPZAJL13\System.Management.ni.dllMD5=5C1FAAE417082B6C49E892CB5E511218,SHA256=68EBA231E243F2FBDE1EC5F1EE17FA7C1D6B49EB116652AAE4E980CCF1878101,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.600{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IVTSH2AZKH\System.DirectoryServices.ni.dll.auxMD5=E240420E93103B565F0E202D65BF02CC,SHA256=30A7A2ECEEA4B1E1EDE71D67D6B3E652C6996BD71D330FE6C58618AE230795F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.600{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IVTSH2AZKH\System.DirectoryServices.ni.dllMD5=1C9EB8C8F79E7AE6D1837A92AEA937C9,SHA256=3FDBD432E9BD0A40D636E64FED0E27AFA7AFE8EC8DFBAF1CEB0E02CF9D45E191,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.538{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ISOLJHW95H\System.Security.ni.dll.auxMD5=A8E16B0835C7BA8888173106EDFD7698,SHA256=7D44F7630D8C42C9BCBA5DB5C74B36391E11FC17D4FAF6D26C452C1BD3E359EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.538{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ISOLJHW95H\System.Security.ni.dllMD5=B92BEE33B09857E5DB60DF34BED170CA,SHA256=C07B57EDCAACD9E9B6CA2340A8DAB75CCF3BE99EDDF063804E73FFB74CDE645D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.485{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IONPFI7NJD\System.Web.ni.dll.auxMD5=2021AE82CBD2D825BCC5BD389D6B04BC,SHA256=E735BB5F60025D0802BCA188FCC852A0EF05D1F61A823F2B3F1A7F8432BDAFB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:14.485{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\IONPFI7NJD\System.Web.ni.dllMD5=3ADF0B1515BDE1375284BF35B32290C2,SHA256=026A4F05226CFDA96E2C8AEDD27DF895A67061C9D5BA5C4F3E695A5B5828F65C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:15.884{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JHYA271NNM\System.Numerics.ni.dll.auxMD5=6D550B69BDC7D89EC2E3554A3DDB4667,SHA256=7CF8E63A66C6685A48A43466D8842DE966699265AF5DDA14CF5EE7EA2398B019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:15.884{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JHYA271NNM\System.Numerics.ni.dllMD5=AF5901179DD8427F1BCE805FC1C60542,SHA256=976A8BC3D65758BF022E26BC0F8BEC1B908D58665A99B6DB45FD5004809E16C5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:15.884{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JBBR8BELHO\System.Web.ni.dll.auxMD5=0957F4DA581E02FF9C1610899338F081,SHA256=149C4DEBA1B8BC2221AE4E9375A4D096B7FA043FD251BF9127A286B9B5C870AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:15.884{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JBBR8BELHO\System.Web.ni.dllMD5=518A18816F2AD45C37A53A4D5AB36114,SHA256=3978A170D2047F55D0D22592D4D67EFDBD4AD29E48606367706C9BE4214F84FA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:15.752{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D83096DE01C4CDC814D2CEF32117BC3,SHA256=691970DB66E3DA55F4DC4FC09CA0D6E9668B232BBBE682D9400050F11E936938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028409Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:15.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC3DCC36CD5719BA15912C3CA1ADE1C,SHA256=A599B79C58A2B1044907C6CCAE933D47B9B2EF0EA29CAB0F59B737CB19348F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:16.767{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611818CB1B10CC78C9043A85342EB684,SHA256=5F0655A8C3696F7FCAD035260D5A681682AB1D5275834EE7A21DCCF873694767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028410Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:16.217{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89B5A4B161F96C329D79F55E34FF2BC4,SHA256=856699CB41CFDEAACB3F569A853AC5988A9A653DC04ADCEE2DEDAFB744090315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:16.616{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JMYST3KO7Z\System.ni.dll.auxMD5=2757D2358B8F06C9205162B01ADD8563,SHA256=7DA6F03A2961DB5296E81D1186309960BE931C942AD7F3BD2FE11BD1F40F0B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:16.615{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JMYST3KO7Z\System.ni.dllMD5=897FC7C6AA44F5EBF88139492F41E46A,SHA256=D365B32B72989F4BAED79A536394AB7D040B9A920F89897DD5BF77264F8A6792,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:13.150{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.819{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JXCZJIJOPH\System.Numerics.ni.dll.auxMD5=8C8F36DCBC0AB4F29DC79D33D9CD7240,SHA256=48D6097F83178C3905EC2BCDA01C80CFFB1A832CB1F0BF5F08E510C86D6F9215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.819{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JXCZJIJOPH\System.Numerics.ni.dllMD5=845E361BD51C969466956F80361DE179,SHA256=1BFFC23BB5882DA343969E12ABE4FC89BBC0EC41D9C30E7DDBCA7ACF250A2752,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.819{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JUQ7610ZGN\System.Windows.Forms.ni.dll.auxMD5=337A44DF08CED104D7814C2A7B3A0898,SHA256=C5E3AE32A409B4FCCE84FA81A83509558C8AC31166CF91760407F9DEEF2EAA60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.819{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\JUQ7610ZGN\System.Windows.Forms.ni.dllMD5=AB95BE2F0381664F51CEDC66091D7BE9,SHA256=177E9A8A1D1800F1C28BEC108CD5AD847338548FDDB471FF708CE4FCC6F5C606,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.782{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5881FE64C87017BC6BAC8FEA82D336,SHA256=4FDFCE940BD2B5101E7EAB9FC38908912BFD4ECF055C24E0A60427B938B6AEE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028411Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:17.452{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D36993607D3F713D53B01C9B02AF36C5,SHA256=78876D0C7751AE36D31AE717675246E92F093B20A45E66E012E856E4BACC3C8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.666{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A75F24D409F2A99E5C150B38370F97AB,SHA256=C1C3EFFE71C6C2B95E7FE4B8C358D04596A044DAFAEC35CBCD2177E0D70C5986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:17.666{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=51200E2EF70A8BF856B7887503C11084,SHA256=5C921D6858A6204FED777175B11D2557F02021C0783AF31794B002536F92EDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.881{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A75F24D409F2A99E5C150B38370F97AB,SHA256=C1C3EFFE71C6C2B95E7FE4B8C358D04596A044DAFAEC35CBCD2177E0D70C5986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.797{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4294BFA2C561237F62C15CFE8E5074,SHA256=0B5053F1773B621F45A494C64CFC6E33ED737CEA1E2A9311A91CE19ACEE0FF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028412Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:18.592{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFB9D32178C5B8138D17F1B66ED5E44,SHA256=A10B39CD8A2920B2EF2F8B29EF3A0ADFAF73ED8D1D2C05ACEBA968BD1C483FAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.734{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KIR6X57GGI\System.ServiceProcess.ni.dll.auxMD5=A2054B56E52D30E988FB8E8A16E667BF,SHA256=009ABF98AFF25034C2A60E2E5C2F5687889F13B9435D965E52052A797E830C74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.734{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KIR6X57GGI\System.ServiceProcess.ni.dllMD5=701013E651E17E9D7EFC716A52EF250D,SHA256=653178D1F2FE4983C9E8FAC3E4BC2F0CE7CAB8F5A44BF1FB710B901082841FEE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.719{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KERR5LIL6C\Microsoft.CSharp.ni.dll.auxMD5=74793ED55CA5E05229CDD02BCE056C64,SHA256=109B547081FB3D7DD775E60449A24B88EAF5A35B5EC3B69F4B0987E6EA0D5C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.719{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KERR5LIL6C\Microsoft.CSharp.ni.dllMD5=401729E38D7ABECD78EC2E9BCA281C5C,SHA256=BF273BA827A9BADBB785086965D428382DDFDE50B53355D2BCD4AFF70695C0BE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.697{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\K2C08Z5VQM\System.ni.dll.auxMD5=938F2463A77401FE0B14F375FA9E1ECC,SHA256=CF737F659C2B4F6A5991AECCCB5A424748075189BDD3853576AC68B316A37A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:18.697{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\K2C08Z5VQM\System.ni.dllMD5=E5B921ECDA5B62F89AD0F30770489EE7,SHA256=94548B6DA782327576F76F826309ACB5CF6A80F9799F6C1D79DF4320DD8A36EB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.818{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDD623654D159C2418443CD29273E3A3,SHA256=4ACD3CDE153D80FDFB2A81C2D181AC5220F1A47A2029CAE6B586AD4FBBE0EFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028413Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:19.608{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05D311497D11C1F3FFD01AFF624AD2C,SHA256=F21C0B961C6953FD9BE1787DCD8A47EEE8724F1934819557210EFFF3556AE207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.681{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KOLTA8KVP1\System.Transactions.ni.dll.auxMD5=684302FE423D7E41FDC82C1D5856E236,SHA256=F337F5920192EC0AACF5FB4361AC90BC3C648AC0846D5C2CE84645D465DE0ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.681{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KOLTA8KVP1\System.Transactions.ni.dllMD5=ED09B66BD9413256CD1DED2FD1782AD2,SHA256=90BD081F86F3888C1C8F639B10BD88D7F212573EBCC4E7B226103CC1472AD823,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.618{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KKNIV7Y3I1\System.ni.dll.auxMD5=4D1A6689DC11F81CF9642E9CA661FBD8,SHA256=184270D73884EA9ADD722EAEC9D3A0806F5CBD2C7CB4D6DC4591869DDB2A4194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.618{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KKNIV7Y3I1\System.ni.dllMD5=1D502B42F3922DB469D11EC1DD4A452F,SHA256=3F4717011759940D5F9F588CC8BED4B958CD94C373592206C1AAEBE284DAD7EA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.835{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F90C478A94883273DD972B98A179ABBD,SHA256=9CFAD80B8A63579965CB70129BB9C7E3E9DF8AEE044E2DA90E6D57AA7CBE6C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028416Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:20.936{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E6A2819C5C484909D33D943A2F7FC0DE,SHA256=D677911C8F25560B126BBBED640F87AD7A8512A3F69A5420DDA1097CA22BD7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028415Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:20.717{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95CC167614EA5DD4FED7BE9DB2346CB7,SHA256=298CFC84DC54F89CC1861031108A723A1DC6DED1D940996DC3ABF3C01A2925FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.182{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KXNDZRV6MH\System.DirectoryServices.ni.dll.auxMD5=C2E0864BC116ECCED285DA8D65EBA6C4,SHA256=2BB21F1B779326CC28A17D48D9F22E3D40D2AA67CF35282497E9BB087377688B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.182{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KXNDZRV6MH\System.DirectoryServices.ni.dllMD5=D8D409480F7CC454D0719266B2D7D9CC,SHA256=9B5D64CF20C48A42257A1E2E68F810F179E553C3CF743ADCA720BC20682A0849,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.166{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KWU26L5G78\System.Numerics.ni.dll.auxMD5=CC8504EB0D831F3A4D7BF486C8BBEA57,SHA256=E9740B680C31812CB7524E87205E12CA8DA04DE69735BD7EAA900EDEA24D8309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.166{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KWU26L5G78\System.Numerics.ni.dllMD5=AD4643D2B1E5DF5D5B5986C4870424FB,SHA256=E7518CA9B10991F2C502321C26DD4F3AB778E162B1A3AC90888628FC864C47BB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.166{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KU41JGUGM9\System.Xml.ni.dll.auxMD5=63CFFCE43BBED168D0654C5A8A018374,SHA256=3424CFD864C6AE00FFC20B978CC30ABBA607511DCD8E423091E952A7A99B11F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:20.166{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KU41JGUGM9\System.Xml.ni.dllMD5=4BC31F57ACB281F7C863B91725EB6C29,SHA256=459055F2D2B7F600BE627AA49F1681130C1892BC0A0F8DDC76E9BCA32487DE2D,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000028414Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:18.086{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028418Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:21.952{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1443D79DF536FEADFBA538A991C6A97,SHA256=AC76FC7DC7138E713DD3EEBA5D560AB4D8759B31EC61367ADEC4D9DDB672BBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.835{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1E134D4B5820F32636BC95DA7F899E7,SHA256=9A7B608D0B1F1862FB04420F5127032DD17A23CD348505C43998F9408BD5109D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.798{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LLC80O1ZV5\System.Security.ni.dll.auxMD5=7BE8E3D8CBA8DE7A117F27F0345AACDB,SHA256=9BEB3A0B9B7CC3C5843693FD59757D3AF78C48A48C7E949A2DCABC3181AB7625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.798{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LLC80O1ZV5\System.Security.ni.dllMD5=54B8805EB3C694F29052E9B1789A07DA,SHA256=4D2E9C421DE3E5FA95A79E6C35CD689B53BBDAA27FD36114ED4710F9CF1F27DC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.782{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LKAJNTQ0TG\System.Configuration.Install.ni.dll.auxMD5=1BFDFCF998903EA6AF2C7F1496C9BD50,SHA256=DE281F3E622CCF729BB00B9DDF68643C79FCF455B0EC1FB21DFB5F94AEDD6859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.782{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LKAJNTQ0TG\System.Configuration.Install.ni.dllMD5=A8DA77D12ECE05B2F62E9C4953661141,SHA256=FC27E15E339A52EF8C0D829E7E6800365A1755A8F6DD1650018EA73CFC18996F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.782{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LK2QT4W2RD\System.Drawing.ni.dll.auxMD5=CCA0985CD95C87162EE8FABD44FAE1F5,SHA256=EE34560D22D7CDEF63F66AE66B409DEB4D75505E1017190BEBE0D4191610E7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.782{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LK2QT4W2RD\System.Drawing.ni.dllMD5=13B68E88BC8FE03216C474B8DC5258D1,SHA256=64B7FB05FD5CA1DE5630A096593393F2EBEBE2D43AD94B1D514AACF05702F345,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.698{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LIM5T5XM4L\System.DirectoryServices.ni.dll.auxMD5=8C62FCC7526EA7B45336F62B19961917,SHA256=380C559E81001EB5A7E6E4CB27A7BBC78CAF792DAC2CA81FB5CEEDD346D56718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.698{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LIM5T5XM4L\System.DirectoryServices.ni.dllMD5=1B1CEB2CC83E5F299E616C434A37FC86,SHA256=1AD9A12E233F803A985AFF686A26B3DED3CB16927C25CF4C7BF0D7AA4CED4137,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.567{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\L3ERTDNST0\System.Core.ni.dll.auxMD5=7E0C144A9DCAD31A8111B8B42DDCECBA,SHA256=AD9B8AF589F1D2BA5C81427E41087FC704AC82D57DE568EF8085DC9977CF8549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.567{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\L3ERTDNST0\System.Core.ni.dllMD5=F1FE6824F513926F23FFFE53348D791F,SHA256=8AB5DF5356D9BC7FF295DA609CE1AD35A98FA8A91B98CE805B6CE72840483BBC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.515{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:19.014{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.098{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KZYRIY0MEY\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.098{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KZYRIY0MEY\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.036{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KYQGEDG1SD\System.Windows.Forms.ni.dll.auxMD5=AC36643F64BD9537E552F35C0B019EFB,SHA256=4AA66A91B44CCA1403B9F0E71435C3233124EAAC20C434412CCACB77255B5612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:21.020{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\KYQGEDG1SD\System.Windows.Forms.ni.dllMD5=A8D652BBECDD183E51E2E654E8F4770A,SHA256=C1FC8E5327FC8C5492756648C2AEF53E12E5F647D82C4A01DDCF1DEF561E92F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028417Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:21.311{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:22.850{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D3AECC65DEA99F19F641E13ECB50AB,SHA256=0FCB66AB2E64AD13156FE05AB9879B7498931B3CCCB5A631FC860F0AFABA3286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.850{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1802CF262301DA4A0C02E9315719920,SHA256=CBE9B0561323581C84BFBA4704EC8AC9FAC692A48D7E72DFA6A5E95C1322BEE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028420Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:21.179{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000028419Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:23.142{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F055BB45A63CCF3183670EBCB9A71F,SHA256=C3CEDF3978511DE07970A02D4FCDC088CC4BFF624DFF1A31B8F94C898282F076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.734{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M06ORVAQ4N\System.Security.ni.dll.auxMD5=A8E16B0835C7BA8888173106EDFD7698,SHA256=7D44F7630D8C42C9BCBA5DB5C74B36391E11FC17D4FAF6D26C452C1BD3E359EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.734{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M06ORVAQ4N\System.Security.ni.dllMD5=B92BEE33B09857E5DB60DF34BED170CA,SHA256=C07B57EDCAACD9E9B6CA2340A8DAB75CCF3BE99EDDF063804E73FFB74CDE645D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.719{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LYGE1N23YW\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.719{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LYGE1N23YW\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.182{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LUC2W71J27\Microsoft.CSharp.ni.dll.auxMD5=C4E4AFE001B45754A961F829FA2AA4FA,SHA256=AD75AEFF2DD869B6EBA26338422C0DA1577C6D99923183CA8E58F68D71873E64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.182{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LUC2W71J27\Microsoft.CSharp.ni.dllMD5=3DA8C7A3CE434CDF212B055456B2D5AD,SHA256=800BC5C217E541299A28DCF0F10BCD943B74F33E250FAFCE57D3BCBE02060463,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.097{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LMV1K7MTCD\PresentationFramework.ni.dll.auxMD5=DE88ADE06E3B0B87F9EC542D03B909BD,SHA256=CA646AF9FA56EDA1FF4974D5AF0A9B2B360B84CC30AE311FAB387D747E11DC02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:23.097{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\LMV1K7MTCD\PresentationFramework.ni.dllMD5=585F7866FCC0FE6A5D732D961852CC62,SHA256=1DA8CCE6A338D38A2D88A14748AED2156D2B95311FB4EB5CD0A5BE147BCD403F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.865{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23C71F44023818795DF961FEBADCC9B,SHA256=1DB315068465F751A2723E08D468884E7B7AFB08EFDCB53358168B897C1A2E9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028421Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:24.376{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EE1083592918A35EA95BDFFC338428C,SHA256=4FE3E49C9C061F3972EC0151972EA7FFFACDD4249EA041F91BACF011ADFFFAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.718{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MIUYZJ4R64\System.Data.ni.dll.auxMD5=4000DCA0209C14C9BCD1DD177196F2B5,SHA256=83875A2E7B0EA34843C1D8EBC0980BEC7A91B6E1FE4B11BCE69E81BBDDFFC942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.718{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MIUYZJ4R64\System.Data.ni.dllMD5=E0DF78698CCBBBD22D7DF8B84B214338,SHA256=D5D79E6A941196BDDAA97DD97CE08D88F5D49F6F6BBE4DC1BE1BD3BC2DD611D8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.697{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4C8136662F4EE72A9F39F25EA19089DF,SHA256=BC0A55553612F6FBFB302BCD7C20610B48D3656CE383357430D6A5DD4F3827B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.266{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M9TLN9HBIF\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.266{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\M9TLN9HBIF\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.880{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA3B990887696FB72364871294F1293F,SHA256=851F3DA48C45EEB428C08009F39FF19CABD5168FEB8385DA7681321E3392DEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028422Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:25.439{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD2302CFDF15C4F20022E32352CABEC,SHA256=2B2E0B5394B180E7B12614B5C985C69D5D5329C33E2E6B0282317A770FB1DDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.480{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N0IVNE6B7B\System.Transactions.ni.dll.auxMD5=6C339FFF8233C29C022D6F64132B3565,SHA256=245A00C8C84BF6FDC07FA7C3AA0F192283A8D1E55AA1FC5212B59BDBE5B0DC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.480{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N0IVNE6B7B\System.Transactions.ni.dllMD5=B419B44AAD97CA3AA622FC69F9F700EF,SHA256=85E6B77303F3C2B52190AD6ECB73FFF9A6EB42C02D61D315128653B8D806ED7F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.465{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MQOCM2A3T9\System.Data.ni.dll.auxMD5=55B9DBFF22E9F9EA9030C8506FBB4BDD,SHA256=21857952A4D88926E936A4E055A5A32BC852B2C854FB5B5D02E2CE26FA11076B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.465{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MQOCM2A3T9\System.Data.ni.dllMD5=5B8A1387F38B3747F281326AE0AE6046,SHA256=72AFDE4C5841503A8DA13C06C8132644F73CE9B49086AF3B3DDBA5F85FA3D3D4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.034{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MMFOGD1HWU\System.Xml.ni.dll.auxMD5=AB37B4D34FC53F43A723D713E12B4003,SHA256=47AFE86256B978AB7CC1A26216ADFCBB2C3B3BE59AA00ED8EF85B73360C40569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:25.034{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\MMFOGD1HWU\System.Xml.ni.dllMD5=6D871CEE5183880F2C6E45D4A633B9BB,SHA256=08C1A990205468C817F6A1084644002912BDD347EC03D4139E99E54424A86960,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.949{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N7F7OPQH0I\System.ServiceProcess.ni.dll.auxMD5=FB48CBD15429C7B1F9A14E82CDF8B24D,SHA256=E11D297738EB6EFD68E74B919FC25F124C6CC4AE3E1C7595BB224BF4567C30FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.949{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N7F7OPQH0I\System.ServiceProcess.ni.dllMD5=52E1C1642839FB780CD29C337867C549,SHA256=5823F6CC6549B5FE1FDFF03DCF1B95DFAFDE9D381C04D3C8F5BDCC636A053E54,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.949{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N771T2GRDN\PresentationFramework.ni.dll.auxMD5=1CD640D915EAE872FC60479FB1991D49,SHA256=4136E63F0E092B2DB0DB99F29185481D5F9CF9273FB96BB33273FC4B8F077704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.933{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N771T2GRDN\PresentationFramework.ni.dllMD5=F4BE31FD7508880EBE11971999150E20,SHA256=67784892A02B103C517FFBCEB07F743E14E727539AADA82138342FEAECD1C8C9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.913{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B484EA4B82C35F4D59EE4A914CEED9C2,SHA256=F2ACBA2C8DA1B1C468A35DEF459C698AA72D38AFA3CF10E3D84A0401F7F9C6DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028424Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:26.670{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DED9CE5AFD7EDDA3A0272A86F8A458DF,SHA256=B6D06534DBB487E23DC645D04FBB29EB0DFD48994F03DDB0D087B36D6B9EB03D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:24.099{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.064{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N6GEV7NRLJ\System.ni.dll.auxMD5=F974195E5ECE86B40F7C98CEAFF80650,SHA256=6FED5EE609434200BCCA2E954E4FF45678A458F016A429BD3AD7BE480AC33845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:26.064{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\N6GEV7NRLJ\System.ni.dllMD5=13DE7F98F0CB9EB352C90FC60D125E6B,SHA256=895BF50B6C923C70F9F96ED6117D4F5929607376E5F00531F7E0E9209D4A1028,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000028423Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:24.026{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:27.933{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4B4BB9B5BADB25007A0D8D9C54F37A,SHA256=6E5E8C73D4EB8E9740653042ABD75475D8A61F56685E5AFB785CD2044494A35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028425Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:27.672{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1583E9E2CBEE0ED2DF3C3B2DDE3C2BE,SHA256=005AC31B8A24DAF8E18DC2E09BDDEA7A02EFF7B2B808DB3CDBE498148873B7A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:27.649{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NO21KQA2HF\System.Configuration.Install.ni.dll.auxMD5=0CBC2C9737233F80F1C8DD57CE1AE88C,SHA256=6E18B2C2DFA32D6F4925D1BBE903FD9049472C36261FEBA8DD59628E8C6A9F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:27.649{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NO21KQA2HF\System.Configuration.Install.ni.dllMD5=2582241664CA944A32E31176A66CF0C6,SHA256=B7C2F435943924E46E604D1D35C1835920CC706BF320D85179E53CA0F84354FF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:27.649{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NL4EC7YXBV\System.Data.ni.dll.auxMD5=EDB7CB075A217959013CD75CE405CCD2,SHA256=240A71F1AF20552B564ACE0F494BDFFCA2B3982D62D762D1E71E6E1535797972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:27.649{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NL4EC7YXBV\System.Data.ni.dllMD5=7ABB236413DDD5D4953BB3A2C663E53F,SHA256=D14A3A1F1851D9FD244CBF574F22A3B94B05FBBBC6147381E68F694AD59574E3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028426Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:28.906{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD196D1396F77F4799EFFD9B41AA6487,SHA256=FA0F7E40BB1D8883BE2FF5E84BEFBB99F445E2D08EB2C5B5811909100DD9DBC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.947{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=305CA7D53FFF00863D3D3BC91EBAEAD2,SHA256=D66B5FA1CC67B6F9D5AFE7D02BF67A72B52AFF9D341EA5C656AE23CEF806956F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.595{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O4I2YE29AG\System.ComponentModel.Composition.ni.dll.auxMD5=694406FEC9A4D3335D220AADB0FA8797,SHA256=45E44499273F3E2F07640B16480103FEAE49022794D70F6B761C1B8A7D283CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.595{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O4I2YE29AG\System.ComponentModel.Composition.ni.dllMD5=0632FC2C8FE933134DC4039823BF7DDA,SHA256=65074EB6B679C8BEFA936EC373CCFDB9EAE1A71563936A3F77DDE751164D8143,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.548{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NYU4M9NQO7\System.Drawing.ni.dll.auxMD5=AE1806558A5233CA0895E229CA9A5CDD,SHA256=BF8A1C5F9A51673F43C265FD747004440EA4B3BC1CE92378D2A9C6B197995F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.532{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NYU4M9NQO7\System.Drawing.ni.dllMD5=FDBA63CB8F1C68D60D66AC4C25A52A2D,SHA256=9DFCA47793FC5BA5B8158ABB6E3487263E7967F0CD4533083D465AB38EA2018C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.479{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NVJRBVWD7A\System.Core.ni.dll.auxMD5=48FFD457B52D2283A43AAA2D8D7B2895,SHA256=529CDC113FC10D5542623FECA65BED08EF6A85D46AD9F372D32D25C91224FB54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.463{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NVJRBVWD7A\System.Core.ni.dllMD5=783B07F6DC4FEB9350CE7157E6240EA5,SHA256=A3CDC262830D14397834BF31D00E6F5179BFA6B9E570BD76C623E6033A0FF60D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.095{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NSCDQAJZZE\System.Data.ni.dll.auxMD5=CC9F9CB4F637C42741255EF17203B47C,SHA256=370A27D995B8AC7DEC609867B2B7BBEA89A465AB01320C77D7F8CB57793DC76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:28.095{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\NSCDQAJZZE\System.Data.ni.dllMD5=4CE9DA541633C93EAE8D016C36CA6BF4,SHA256=08E8F1F9463152B6AABF02E6A7CB02A2DA4608AD745320837A9718B87B52AA29,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.962{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C3F362D9008994E54AD4ED99D49CCD,SHA256=5686B7B15B4BAC9FCE168F638BAFEC13EA0759C1B5BE4F8AEB61B92BA401C094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.931{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OHA33DE8FN\System.Management.ni.dll.auxMD5=CCBA581D1AE4127E8E8C1E8326D49761,SHA256=4D8C3BA60FD1E09A0DFF0A00FBC68AF12DC3C85C20BE290319C9DE464F483EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.931{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OHA33DE8FN\System.Management.ni.dllMD5=57063C01F33CD670DFB69D6FCC9A121D,SHA256=911E07923D182AA145FA9818B97EBBC31CF79AF003D918CC09E2D71E63F7FB9D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.914{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OFVXZGR1VK\System.ni.dll.auxMD5=F5E454AFEA99BF074A1D3313654C9C7C,SHA256=15FFAD8EC46C0265F01EE5C5891650A8C1D7D481080057D01EC1F0B597D009F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.913{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OFVXZGR1VK\System.ni.dllMD5=D60796FB70D97A574714D0C77F93D97D,SHA256=A1C4314F753DA4EE230B0AB995A4F9EC872F35780174F6E060A1DF56EBBBD6EF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.094{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OD8WEIQHVA\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.094{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OD8WEIQHVA\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.047{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O8XCWSNQV8\System.Core.ni.dll.auxMD5=EB3705BF415BBFABE3EEF435BB9CAADD,SHA256=19E4BFB51F3918297F82E34403F9F1935B17BBC2A78E6C4247D6089C94C8BF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:29.047{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\O8XCWSNQV8\System.Core.ni.dllMD5=D34A762C6315A7E500BD3DC88FEDD43D,SHA256=80E62A15C9EB0FAB896B1D0A216D1C3AB4C103B8F957DB46C14E6DD9614D43FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.977{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A59E9E87E0033C94A8D02955EF7CED31,SHA256=A527BAF737F32F8A6EACB4D853DB0FFEF14F05B05A9290EF2C6E88D96071F62E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028427Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:30.062{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68142893E5D3DC5C08EA8A22A851D014,SHA256=E5EEB5B5958C7C6164067FF876F77EAF1770A6E05E780714879FE4954A1B6FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.892{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P1WYFUDXSN\System.Security.ni.dll.auxMD5=74E5478F4A51B682700233CD6B7C05DC,SHA256=4BC93A21F6F5BE0B8E4ACFB6F96A6F3B1444A8310826E2CCC4DD8862E4D6F3E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.892{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P1WYFUDXSN\System.Security.ni.dllMD5=D518D6481A2B6037B8E61101718E6EB3,SHA256=154839515F16941BB2AB2FF9716A5CBCA5FECCD9CEAF9D0D51BA9797F3B98721,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.793{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P0RK1OW14J\System.Configuration.ni.dll.auxMD5=F07B09293E0492E71E96C7A764BB524D,SHA256=A24285135DCD60675A12C5E36DF5B3FD7AEEEACFD305973C262A0C73053C7703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.793{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P0RK1OW14J\System.Configuration.ni.dllMD5=B0386808CBC978446F0D8638C53F9F02,SHA256=7E05166D981CF6FA3157EE088305E2B901B9721FCED6370E9D1CE7511A71AC64,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.710{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OXYH1ETAXY\System.Core.ni.dll.auxMD5=5DCD12C73B9F94AD86DD5CCFF0961B76,SHA256=F48412CADA48829BCA494224CE73B46166853194748E6A93117C35D3A388A473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.709{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OXYH1ETAXY\System.Core.ni.dllMD5=0AA216B359BB985E91C06D6CEC347EF2,SHA256=5EDE9B67C3A3A41FCC240B0D7F27764343BD8C1BB1EAC39F441E00C6E5066C92,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.031{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OOS41VYSH3\System.DirectoryServices.ni.dll.auxMD5=5BE283A9E68591B32773566F147A211F,SHA256=83CFFD1BAEA158353574578F2145C054F207526C8E544F114652C4EF01713BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.031{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\OOS41VYSH3\System.DirectoryServices.ni.dllMD5=8CE05080E8212D45575DB5EC52382363,SHA256=B2960982ADB25974561E8356470B1234CDEC00F5FDBAFDC39F221B37F914433E,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000028429Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:29.946{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028428Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:31.109{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111543E9A15926F28F5F471AD538AFB4,SHA256=4A40A5FDFC25117245CBD26777EC74DCB554FF4FAC74C0D06107123226D99498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.745{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=88CA6010F473590B23CECE289D495AFA,SHA256=83844FE698CD93AC701A962AC346D2D4CFFA04E4880493C171391873776CA4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.745{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D46502967A9808067598AC7B540543F6,SHA256=69271DC4E477E41E9DC5CA105D19D96192ECDC8BB20224BF72DAF652F35FE10A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:30.011{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.492{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PC4QJUM510\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.492{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PC4QJUM510\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.492{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P5RBFV7DTM\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.492{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P5RBFV7DTM\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.413{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P3LFTWOA7M\System.Core.ni.dll.auxMD5=0B7B3547A6755335583D2C975D27717F,SHA256=CB5ECB0625E0E2D5C2A864279FFAFC96048F0E10B0A47437B6CA6D8FA2DAE6E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:31.412{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\P3LFTWOA7M\System.Core.ni.dllMD5=90F0732AF7D2F9207DEA5BD7ECAD33B0,SHA256=C929FD867AE7413965067562351E1DFA8D05721D5A6151A3B575EB94B970F923,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028430Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:32.344{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBE0BA5CA846D6E04D08E435F64095D,SHA256=A1B18B56416E2B444B56F3A109B46C08E6B3243748DAD7F2465CB6116D9E53FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=AB98CA7C43DC26855652B207A9BD2094,SHA256=7278E63A49DC8E81FAF4371A8397BE20166B2551908F7525E4AB8BAD22E832F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=C436DD402050BA89DB203B2652F16FC5,SHA256=CF8CF2B136233D56709739233B60EE1AD8AD2E5471C19B96831A9253FC5B007C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=E26ED0E18436CDD1F18ED3154828C9F4,SHA256=25DF6B4AD6705BD75481DDAA7B97CD7B2DDF415877728256B2302DB47EF784E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=07639C381EC0DB010E9C801F1068C1F2,SHA256=8C76735649E8E0D85EB738EE9150C2FEBA1F7036E03FBCD281FA24025B1DAAE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=D0C527F6C886FE030322CE9E049C1634,SHA256=92003F4E0F7179DB4958CF7F7FBE9B707F5EAE54676D0E585E0D7F1C4400F70E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.591{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=4BB7CB6C44DDB6F87452F67E1EB1A498,SHA256=5A72FB98EF23E21A514F100F1DCFDEE94F12B98B996D7BECE1C2ACAFD27BEC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.560{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PYJA7OW6LL\System.Transactions.ni.dll.auxMD5=67EA7579FBE5D95C014B695402882EE0,SHA256=02A0F13F1E4E2882F3F1298FD9F09EDC0DF787CB503D2929A7536ABCE64D90FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.560{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PYJA7OW6LL\System.Transactions.ni.dllMD5=0111D3A2E533281DC6DD7C981CB8CAA1,SHA256=600DE357800878318E9B1C166BF9402EACA737CADBAB9ADCB7FDF8BBA6C67030,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.545{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PL1HU7TT90\System.Numerics.ni.dll.auxMD5=D4AF447AE12A5806CB93B8D78E283140,SHA256=09DBF9D69C0FA8722ED60CCB128241D63E23DBAAC1AC0C3406136024ECC0EEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.545{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PL1HU7TT90\System.Numerics.ni.dllMD5=5FF3E0606A26FD5CED8795E64BD23991,SHA256=3100FEDE83BB1EF84518D4DDF9344F0FA72E1797C5934D4BDC3C0473463C8693,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.476{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PG3AN2E5Y1\PresentationFramework.ni.dll.auxMD5=1CD640D915EAE872FC60479FB1991D49,SHA256=4136E63F0E092B2DB0DB99F29185481D5F9CF9273FB96BB33273FC4B8F077704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.476{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\PG3AN2E5Y1\PresentationFramework.ni.dllMD5=F4BE31FD7508880EBE11971999150E20,SHA256=67784892A02B103C517FFBCEB07F743E14E727539AADA82138342FEAECD1C8C9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:32.013{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6429038346E459EB83B2AFE047CCB31,SHA256=0E0667682E694FCBA7D709D19CA52FEBDEEF046141D48BE99C2BD61077E8AE26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028431Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:33.578{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B7C35EC8D828B5FFA140ABFA89E49B,SHA256=79926102D3B3AAB5CEADE532E26A426C058FD03D89F88F33F27E7DCE0BF5A18E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:33.609{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q2MFXXO1IW\System.Web.ni.dll.auxMD5=83B0819F19853C14765B24B1AD811ABC,SHA256=24231188EFF9EBADA282616086E59934ECD0A180EACC8CBA3A623AE1026052BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:33.607{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q2MFXXO1IW\System.Web.ni.dllMD5=5AD420742C2665182250F7D95FF74A76,SHA256=7A8D4B30B8FF51570A614F387F29715B80B2BBC4C7BB4213062AD17DDA698C4A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:33.028{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F97CD35069921DA9A3208F18097C97,SHA256=5C09786903633E0A424B9416A8D8361DB5AC8837A81E72734E13C61DD6D74B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028432Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:34.750{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618541B64143B2BBD2777D3C16A029A8,SHA256=EA3BE9A4B412A42AB4AA2C99F1D4501670C666725391D7CBAF560B530A0179EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:34.390{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q5MF3AYVTA\System.ServiceModel.ni.dll.auxMD5=D9EA29F8B3C587F8A388E2C44AF446DD,SHA256=61515EE0004F0BA51135A47837FFBCC51EC1417BF6C4D10BDB1F4DA6E2C17F64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:34.390{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Q5MF3AYVTA\System.ServiceModel.ni.dllMD5=72297374A83EFE1E568D5F1AA1B4E748,SHA256=0C5281E6416D4F9EEE59F1CAA2C737DB472DEBC0A7F15B038484A51AD2D9634A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:34.059{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163B19EB090A9C7C1B6585DB4F4340EC,SHA256=40D40E2E5C4CEDA514C8B5DC96702CAEC5915FBB14E176962619D596BAFB09D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028433Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:35.766{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDFB0DB5F278C718F8DBEBDE7CEFF46,SHA256=63F6F2633D43A58C945DC6ADA8B73DF2A7CAFF78780FD5D8B8E795BDC04A62B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.926{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.511{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXL4YWDM1H\System.ServiceProcess.ni.dll.auxMD5=FB48CBD15429C7B1F9A14E82CDF8B24D,SHA256=E11D297738EB6EFD68E74B919FC25F124C6CC4AE3E1C7595BB224BF4567C30FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.511{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXL4YWDM1H\System.ServiceProcess.ni.dllMD5=52E1C1642839FB780CD29C337867C549,SHA256=5823F6CC6549B5FE1FDFF03DCF1B95DFAFDE9D381C04D3C8F5BDCC636A053E54,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.511{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QSGIT28P8A\System.Xml.ni.dll.auxMD5=6A7FCA88EB093FE1BB082E272AC2421D,SHA256=A5950FA568159B35AA8963997DB039E0CCBABC8668001E24B0E8E7B05467B0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.510{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QSGIT28P8A\System.Xml.ni.dllMD5=D2D51896FC97FC53362B468BA49EEE3A,SHA256=D42A3DE02488863E75FAED49C251D958F8C26CC2F523ACA01D0F0CAC4052F78C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.127{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QGHMUB8IBD\System.ni.dll.auxMD5=4C4FFFC3E154C905C9C643845FCE328A,SHA256=1F43D99B3935FB07CC6C6340C832C92C43495F06826C07A01FEBF4BF1E97336B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.111{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QGHMUB8IBD\System.ni.dllMD5=78947C49BA92424CC6AA6E8CD6D1CB3A,SHA256=4123DF564E230E74A1AB0AB44271D9B033898AE5F9BD741BB3C914D6F1D539C7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.089{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60447DB48F5E61DBB2477A2A4BA6844A,SHA256=AA4C78131593923E81A760CFE406AED28E81A70FE8D27FCE52C6AA21A53DA35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028435Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:36.781{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6EA3A3736B8928639072141AE5D24F,SHA256=77C637A30FC03AAF6A5B0838AF754B774448C92FF15DC584D002DA37B987B3D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028434Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:35.071{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:36.726{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RFANI0AIQZ\System.ni.dll.auxMD5=9651A4D69D091A91F7509B493895084C,SHA256=7F97FFC6DBCF14DEF386747D99B2204F6C0BE9C123F585888BF0BC23B424155B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:36.726{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RFANI0AIQZ\System.ni.dllMD5=0D511A145E1BEFBF8048E4958B18EF8C,SHA256=5B4E622B50F3659A09BC10F7047FB5AECD568565E358232DBD8B85B615F42FB0,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000056413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:35.122{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:36.173{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7B86D1672D73FCE8444BD703BFFF26,SHA256=EAFB832C1D36C66BF57CA1DFAF7F9A3DBDA719CCC0D3DDD6DCBE222ECCB0C1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:36.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXUP2CX6WS\System.ni.dll.auxMD5=0ABA8EE4C96771CD3B6CD56A2DA9CBF6,SHA256=9C26CAC4A3E0C19DF4928C90F5F36A2D5AA689905B7AF3E9A7CBA5B925753D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:36.041{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\QXUP2CX6WS\System.ni.dllMD5=FC806E761F72F4A41798B08766D9DB13,SHA256=1B6FB65CE6BCF66CE1BFC0BE58F06DD2949012D03BF79CE67EB35A20A5460839,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028436Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:37.781{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFDC999FA231E36C5E10E27C59B35B02,SHA256=D2F8D03DA087AE9B21C2A18736BBDDF86BE2952445BAB6344B9536FC43536239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.808{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\S28N7JUG56\System.ServiceModel.Channels.ni.dll.auxMD5=24C96490414503BD6F9A89910E524FE6,SHA256=90368670D86C6D23108DEFB97877396DB68D63E4C13B11C6F482519FD387661B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.807{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\S28N7JUG56\System.ServiceModel.Channels.ni.dllMD5=0B906FCE3A311AB81C8EBEA00FD629F0,SHA256=E7F372A1C2CF8BDA12DBD0860F3562D207689D5C6BECCE0015EF5CA97E7649E5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.741{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RWWS0XEEX8\System.Management.ni.dll.auxMD5=3C0E46C45BCF91E9607FCCE8F2EB1153,SHA256=8B62160D2B2016E7615E19AF407C52A66A6AB89F6AA48255F39D85AD826A6391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.741{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RWWS0XEEX8\System.Management.ni.dllMD5=ED030D562E600AD124F818C0F59AE89D,SHA256=5080BE95FA9CA821324B2094792AE5A473F1CFBC38E20209EFDC3E775D054CE4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RTNTAJ5QYG\System.Xml.Linq.ni.dll.auxMD5=CCF15A1A5478AD4C9A6C5EAC3B4EDB1D,SHA256=80C7E515F2F30459C447E0C663804F04B2325BC9F6246CC881B933FFF502A2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RTNTAJ5QYG\System.Xml.Linq.ni.dllMD5=01675F7E454CEA910CBAEB0A7D4BF59F,SHA256=0F6DF0E70167F51DABB0B82E921D337094D2833E91B72BF4BE15756F8E49DA88,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RLJ402KVPV\Microsoft.CSharp.ni.dll.auxMD5=4F6E2CF657AB3C20B463DF7873DF8594,SHA256=F609CD67B4E59BCAEA6C8472B314A28DCF1872AA6EE9113BF399F45726EB4F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RLJ402KVPV\Microsoft.CSharp.ni.dllMD5=5F895695883F631A993A0F8F582807B3,SHA256=1C785DA125A9DF9516988A97E44348DB77186BA39EFF3C7F82E5391505B61CC8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.472{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RK5K12ZZVI\System.Data.ni.dll.auxMD5=AD2C4453E59EB7892FA2CC4ABD0A7E7C,SHA256=DE2C69FD102FE3E1072F2FA0F3FB9625D65E9059393B2664F5D464A7E3FEA7BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.472{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\RK5K12ZZVI\System.Data.ni.dllMD5=504A4880B14625199F3F1AEFCCE6B202,SHA256=3F6D6E89B2EBE19C15EDBC2E78B8BE32178FDB37A8C1DB5A46DB8A76701910EF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:37.188{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1C48AF510A30E66E28EDD69D2F1762,SHA256=813CAB12BE2182D5A5E332C69518344F48F997F89E990F2952D36E82C2061160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028437Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:38.797{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07FF49C7056767A81ADB987060C50F8E,SHA256=1C16EE539B54FEB8997E507E9839DAD7786ACC384831E20FB3CDD182E47B270D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.756{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B0B023C4DE056F1059856F419B5D9D3,SHA256=826D2E10A94563C3A50A1E990D7E736F4888F42573AA77A58C635A21516E30C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.756{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=88CA6010F473590B23CECE289D495AFA,SHA256=83844FE698CD93AC701A962AC346D2D4CFFA04E4880493C171391873776CA4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.672{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SG3QQYR109\System.Core.ni.dll.auxMD5=9C2C1DF16379BF958B0D67E0B3610AE4,SHA256=AFBE99A8170E89F98A87750E88CC02E6E9B7B6E188CA47043EB1B64C68FA0B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.672{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SG3QQYR109\System.Core.ni.dllMD5=E0408356E6103FCD924AC2285DC1C885,SHA256=0D45CD52A92CB9B17E8931E21B3183C8605255624264C10BF9B5AB5FF14D8D0D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.341{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SE93RZEWOY\System.ni.dll.auxMD5=02AA118D8E3C67485AE986D7809E5813,SHA256=B90C0DD717587FAB26AE04FAA85FAB8119FF23CDD5596A954BC5E660BB3EB1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.341{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SE93RZEWOY\System.ni.dllMD5=6D7E9BF18E21AD794AF893EBB009E6A7,SHA256=837C8E670276112124615988CF0B655B6202FD2F351A34F56A7159AF12C4855A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:38.209{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4933175EFC2B150CD3F0A3215514D764,SHA256=26DE4BBF8080376D3E829648E5437F300EB951D9BD6ACAD8B3DAB467870CCEE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028438Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:39.813{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E9393E47790D5F55C3A6D2C7409B306,SHA256=16347E0752423C7606698B4496415DDD0CAA377F14E3E7099E57E231DA7A2DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.571{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SWWQ6AOVGJ\System.Xml.ni.dll.auxMD5=E01ABDE7405B6917FD52CBCECEDFB15C,SHA256=73DEA8197F091277613BAAFEDBE37A4231410291B5AFABAC8D6907407482215B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.571{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SWWQ6AOVGJ\System.Xml.ni.dllMD5=5F6EA5E77659D339DC666E0BCCD7B0FB,SHA256=D03C42DCD3565491379E0C0940E60507EB8B28F6FAC705F98D68A788AA31F8C8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.287{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SUK77Z1XOM\System.Drawing.ni.dll.auxMD5=DCEFC8B9CB7245B90F2A6AA4084A0F71,SHA256=3760AFB996B9C1860A13167C3DA5FD6B019EE185076145A71387745DC8DA24A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.287{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SUK77Z1XOM\System.Drawing.ni.dllMD5=E8956B039DFD94E1EDBD129DE56F3F2D,SHA256=1DAC647C4642EB0A13A5135BCAF254A30E477CD5DF6BD7DF978F2065CAF5BFE2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.255{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6A7DA740D9DB6CB5C9AA9D9C3B0F19C,SHA256=E22E8B7345EF9854929F4EE11DD9B6515F36F66EB3C4875AED0B0CBD795727F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.240{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SU6BGTV8II\System.Management.ni.dll.auxMD5=FE20915E753A6B48C1D7C978C1AFF282,SHA256=D66CA48589CA1B1CCCDFDE70ECB6B57B258A0962DA308809DD46E0F4ABEC0D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.240{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SU6BGTV8II\System.Management.ni.dllMD5=A2398F5CDEEC4226380CB620C5D180D8,SHA256=4007C9B8A5360D49CD4DA98D262DA539AD790AA13CA54712757441B1C56F2980,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.187{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SQ7M0TZAP9\System.Management.ni.dll.auxMD5=A1123A272EA45D0BE152C0EEBD6784E2,SHA256=5B0E627B5F7CFC5A685543302698C7882E396403C78E13DE7A7443221A86F536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.187{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SQ7M0TZAP9\System.Management.ni.dllMD5=1EE419429DFC6FD092EA7828ED535BFB,SHA256=66C905BB59A36F4F0D862B6C9C7125C212BCD31DC12821EEB4B7B72994CAA787,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.108{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SNLOKA1ZYO\System.Core.ni.dll.auxMD5=68F3E83339872D673C61BCDADE513017,SHA256=25ECE5E7917FE392F280C93C69EA441333898E738D28AE8C2F578E364ED7DA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:39.108{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\SNLOKA1ZYO\System.Core.ni.dllMD5=E993EA2898B9C9812D58FFE1AE84E74B,SHA256=28BB8495AE0284A1262A0A7F02F222498059917F05A973937589A60F9C8A23E2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028439Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:40.828{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301CA183C36698DA06C8BCC6BA52FE52,SHA256=3386FA05EAAA03F70B67FB774494E5665BDF05D34FA524BA526221DBBD806B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:40.785{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T7DUA2RN2I\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:40.785{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T7DUA2RN2I\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:40.270{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C6200E1CD876A9B953AC9CA06ADF2B,SHA256=23BE6A69BAD0274C91D22532D26DB30CE3B8A79B427F7A18CB0CCFC93DD00CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:40.070{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T35SMSC9NL\System.Core.ni.dll.auxMD5=F17814BA3A499E75D25D8600316A312E,SHA256=83B003AF767D928434650744A536BB23C6BEB46D3D16DD964DBE77382A1EADC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:40.070{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\T35SMSC9NL\System.Core.ni.dllMD5=BABB1248300114458CE418D687F12C45,SHA256=2C4CF0E399747B3A28FAF4BED3A5DB80E1B32E39A1F6AD1A24DCEB2F4BDBD731,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028440Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:41.859{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E530BF709E02A297F14F3CC2B43D8D,SHA256=AC3C74C9881B74620158DBBAEAAB66EF2C61C3C50BEA917CAAA6CFFF44ECAB96,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000056458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.385{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\AlternateServices.txt2021-07-19 10:42:41.385 23542300x800000000000000056457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.370{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TREBLZ8848\System.Transactions.ni.dll.auxMD5=345B032FDAB64413D929BFBDE26FDCD7,SHA256=2071BD12C470F01C83E6EFFBADF7E960568551E140259A99309F9CFF8BE70FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.354{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TREBLZ8848\System.Transactions.ni.dllMD5=CD8B06DACE1AE70F053FB67F75439D1A,SHA256=0D78871A1A1AFA2B8AE0A97E0D781565C2014C1A4C687D3731557233DD0684C3,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000056455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.286{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\SiteSecurityServiceState.txt2021-07-19 10:42:41.286 23542300x800000000000000056454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.286{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TKH0RXDAYQ\System.Drawing.ni.dll.auxMD5=6C52FA11480271A7CA24597B93F7BB04,SHA256=61F5983290D91AB3DF009F8C874FA8FE2746C9AB30195650831EE3035CB71CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.286{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TKH0RXDAYQ\System.Drawing.ni.dllMD5=C0CD3B953E9ADDA2C2CA1B521CAC444A,SHA256=792530B90A2559951E4A2DBECBE5B4B3FDC08CB4140A89FC252E49C9FD342359,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.270{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA095F2D5287A44182BD6DD9C7E7BA8,SHA256=2313AED49508E4283349298CFA1F93D16E944465E3C43BEFF316F68E2E63FBC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.254{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TGY81KS0Z5\System.ni.dll.auxMD5=7A44EFFA7DCC91B7C5544BE94DCAB99B,SHA256=82430CD1974781DDBA8E3229219F17123658865551FEC8BC2D4290A1B5106A91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.254{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\TGY81KS0Z5\System.ni.dllMD5=D52C7EE4CFB46F754E22E0C2A47AE1F7,SHA256=70C0BF60131A45390406D3C461BEE5C0449868CD3E9B41A89FD5808F16D9516E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000028442Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:42.953{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83ED572EA0AF2746A06E028C361CFD1,SHA256=FBC4AD169BF1625CAC73A3928C9466D1A2E99E9137E7D8EFC8496335F1C48A2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:41.019{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65068-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.606{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UD49G3NY52\System.Core.ni.dll.auxMD5=4D66BF5119D58A48BD3F7A7AD7354010,SHA256=131D289921A8DADB218DF0D0E67B3EF964AD315171A92823D7FF5B7881E1CA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.606{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UD49G3NY52\System.Core.ni.dllMD5=2A6660246DC3C48C26515DC456C27404,SHA256=3A9DE09DE10C5F9F3A1D3B49FEF7A50181275A29E7A6B909E2850D80DD736457,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.284{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E04F6CFCCBADA3006E3EE3020F4E4186,SHA256=5C8F69E02BAC3082B820B5FBB5F6C078075A4C6C7D109755BF8FB715C3E1F1BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028441Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:40.993{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.206{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U97084HOD2\CustomMarshalers.ni.dll.auxMD5=1B8DC30D3E1603C9DFC6045DE267AF71,SHA256=9760764A3E526F12D9481D6A6D9590E737DDEDFAB481D8ECB2296CB32C0DF0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.206{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U97084HOD2\CustomMarshalers.ni.dllMD5=53F371A0174862A68DC878FBC0D61266,SHA256=9FB938EC3F9D66E64AD525DE4F30CF27153A929044D64DBB8874CE5B01F8697F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.204{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U739SMKF5F\System.Core.ni.dll.auxMD5=0BD1EE710359986138D606E01704020C,SHA256=039FB40AD72E182F9DC338A4B476A09DF5BC0C16D5D4E6EA98AEF90608E93000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.203{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U739SMKF5F\System.Core.ni.dllMD5=FCAFF91D24B5B6E9F40F800BEA34540C,SHA256=52F9E74C79109EC06AE07F6F4033FC4C264B560FB7082F25CAC99C7A3885D23C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.122{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0PIT4VXCM\System.IO.Compression.ni.dll.auxMD5=41EEBA98CCE6653861F4C0A7CE5DABB0,SHA256=30029B1A6AB901F5296117A11EF64E86D2CD12CDE5513326A8322C7389B31923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.122{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0PIT4VXCM\System.IO.Compression.ni.dllMD5=222717FF5E045032C8546855A709602C,SHA256=A51C561900046AC9B7FA831C5499459E234999D2E48F326ECC85A94FC5E5C193,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.122{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0MLKMHPO2\System.Web.ni.dll.auxMD5=3BF11075FF377DABD00295A10B159897,SHA256=06CD7958ED343C21E2B632F48856453AB2FDB59C7C3B82D30FC94BE485E62884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:42.122{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\U0MLKMHPO2\System.Web.ni.dllMD5=A0A7A24BBB1337F0F402CA464D0270CF,SHA256=7A6208DE8BAF9327E0195E456E67B16729EACB4BF7CB6D9CD1C9A79F58B1F2FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:43.867{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\V6PJ8FVQ98\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:43.867{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\V6PJ8FVQ98\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:43.804{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UDREXPIV9W\PresentationFramework.ni.dll.auxMD5=8F1FD4778E91747A58145154E17EA5AF,SHA256=5F51126070FAC3B2FE9EFFC6F556531FCF6A24E2CDABA5256662A878DFC9E787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:43.804{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\UDREXPIV9W\PresentationFramework.ni.dllMD5=4EB0ACB2849F125982D53B74DBA06226,SHA256=BAB44F496D0350D8D73DD0CC0D493CC1C5F26C6A4959F50CBBDA7560E58A220E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:43.302{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49084F599DBCB772E864565EA293D997,SHA256=0CF5B144C2EE7FE51131989ECCCEA2C6ACD6E0EBE4DBCE51EA47674CF2970765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.982{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W0SJHH1P9V\System.Numerics.ni.dll.auxMD5=FC4A9B25E8155BEA4F2BAD2E9934B186,SHA256=E75825CDB00102013ED61BA8DC72868336265A7A43AFE27482A839A08E34DE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.982{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W0SJHH1P9V\System.Numerics.ni.dllMD5=0302AAD9C6C6C01BDD78B04909FF39FC,SHA256=EF8E4770CE7024DDF0796A901E32C0D76F1ABD6508ECF24129A56EB18CC7C677,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.982{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VX4BCJ2LB7\System.Xml.ni.dll.auxMD5=040DE208CE1EB5D0024CE936E00E3392,SHA256=33953292338BFB6EE2756974051377A824A6C6DA3BA533A3FBA6D86218957BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.967{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VX4BCJ2LB7\System.Xml.ni.dllMD5=6644706835E5D443B9822C53AED1B87C,SHA256=14CFCA3962038FEEFF28F93571BDA791D9DAF2FB8E34C066E027DBEF1D07F5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.883{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\y7l8cnva.default-release\cache2\indexMD5=A5591CE17034C565965AC09B3D45409A,SHA256=E995CE7CDDC8897407AAC246DD81154D159D9FA2CC23E9A4442FEF36D3831526,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000056485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:44.867{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6676.3.125328132C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:44.867{43EB4363-55FD-60F5-AE08-00000000E501}6676\chrome.6676.3.125328132C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.867{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55FD-60F5-AE08-00000000E501}6676C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+521b0|C:\Program Files\Mozilla Firefox\xul.dll+29fa9ed|C:\Program Files\Mozilla Firefox\xul.dll+29f47e9|C:\Program Files\Mozilla Firefox\xul.dll+29f5251|C:\Program Files\Mozilla Firefox\xul.dll+29d22ea|C:\Program Files\Mozilla Firefox\xul.dll+29d3924|C:\Program Files\Mozilla Firefox\xul.dll+29d6413|C:\Program Files\Mozilla Firefox\xul.dll+1a72d19|C:\Program Files\Mozilla Firefox\xul.dll+1a6d767|C:\Program Files\Mozilla Firefox\xul.dll+58ae95|C:\Program Files\Mozilla Firefox\xul.dll+58aa11|C:\Program Files\Mozilla Firefox\xul.dll+2ec4125|C:\Program Files\Mozilla Firefox\xul.dll+28808c|C:\Program Files\Mozilla Firefox\xul.dll+286a75|C:\Program Files\Mozilla Firefox\xul.dll+1a72550|C:\Program Files\Mozilla Firefox\xul.dll+532865|C:\Program Files\Mozilla Firefox\xul.dll+4ced26|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+485239|C:\Program Files\Mozilla Firefox\xul.dll+1c72dcc|C:\Program Files\Mozilla Firefox\xul.dll+155772|C:\Program Files\Mozilla Firefox\xul.dll+101613 23542300x800000000000000056482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.600{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VOKV399A76\System.Numerics.ni.dll.auxMD5=EB049ABA5517841C734115079F8BD603,SHA256=2877312EFE8951A61700B5A8981F42E506060308E5D402F8E5FC7F879EDAC5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.599{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VOKV399A76\System.Numerics.ni.dllMD5=D282D2158C31BBF5B31EE855F7B15EC7,SHA256=72E1074D33DC23AB1D680257B353F3C2210E1C9095D3284570DC678FA3E93907,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.582{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VGSM4TUE6Y\System.Configuration.ni.dll.auxMD5=EA64890856D84601CF0F15F8F925876E,SHA256=BC3CBF89983AF4F608D30A0FA34FB62C3F716BF7B77DAF65A806DD567D4EEA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.582{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VGSM4TUE6Y\System.Configuration.ni.dllMD5=7C4B6B49CBB1C3DBAA853BD4E51B378B,SHA256=91DE196C16599FE3164E02F877E74D5F2526AC8C0B8DFDDD3A07D072654E8E98,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.520{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VFP45VJMS1\System.ni.dll.auxMD5=9DB501C48DC60DBFB5B0DEA1779EE47C,SHA256=A0D973D80250931A6FB9EE13DF0B860E736D456AEA631120A0012B15DAA98562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.520{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\VFP45VJMS1\System.ni.dllMD5=250BD9B205730F5DAA6260EEF61B4390,SHA256=E2ED60C97B5D4342A06BE98C8930413714AE287B8E678833C0A81DF457D20101,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.320{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F94D833505D9148D975A4F7F3AB7A11,SHA256=0EA342BE7CA574A5CEBE96F70E1147511A2F14F43F06CB5670C4A9FBE4402A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028443Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:44.047{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961A81B83D8DB89046C72E3583293464,SHA256=B95A0C3F3195A7FE1556A0A27E1EB00F4537008FFB14E0926F4477616E9C6ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028444Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:45.063{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52CC9EA5A14658923C443DDE7791FE5,SHA256=3500F0DD0E2BF6160BD696A766F5EA02655600C8F5289DD4910475DB549C19CC,IMPHASH=00000000000000000000000000000000falsetrue 17141700x800000000000000056539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.54.139314391C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.53.117275825C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307c21|C:\Program Files\Mozilla Firefox\xul.dll+1866ca1|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x800000000000000056536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.52.11278245C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307b21|C:\Program Files\Mozilla Firefox\xul.dll+1866abe|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x800000000000000056534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.51.78117614C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307a21|C:\Program Files\Mozilla Firefox\xul.dll+1866904|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x800000000000000056532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.50.4550575C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+3e82ac|C:\Program Files\Mozilla Firefox\xul.dll+3e81fc|C:\Program Files\Mozilla Firefox\xul.dll+12b23b8|C:\Program Files\Mozilla Firefox\xul.dll+1307921|C:\Program Files\Mozilla Firefox\xul.dll+1866745|C:\Program Files\Mozilla Firefox\xul.dll+29d482c|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 17141700x800000000000000056530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.49.172768231C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+521b0|C:\Program Files\Mozilla Firefox\xul.dll+29fa9ed|C:\Program Files\Mozilla Firefox\xul.dll+29f47e9|C:\Program Files\Mozilla Firefox\xul.dll+29d4700|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12e17ad|C:\Program Files\Mozilla Firefox\xul.dll+12b52aa|C:\Program Files\Mozilla Firefox\xul.dll+12b5164|C:\Program Files\Mozilla Firefox\xul.dll+e14869|C:\Program Files\Mozilla Firefox\xul.dll+29d4402|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518 10341000x800000000000000056514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+29d439e|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+29d4315|C:\Program Files\Mozilla Firefox\xul.dll+29f1318|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.904{43EB4363-55F0-60F5-A708-00000000E501}63406476C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+122110f|C:\Program Files\Mozilla Firefox\xul.dll+cfd024|C:\Program Files\Mozilla Firefox\xul.dll+1fe73|C:\Program Files\Mozilla Firefox\xul.dll+11fc728|C:\Program Files\Mozilla Firefox\xul.dll+1f215|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+1e76f|C:\Program Files\Mozilla Firefox\xul.dll+11fd4a1|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.898{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.898{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.898{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.898{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.897{43EB4363-55C1-60F5-7208-00000000E501}45564356C:\Windows\system32\csrss.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.897{43EB4363-55F0-60F5-A708-00000000E501}63406752C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Mozilla Firefox\firefox.exe+4330b|C:\Program Files\Mozilla Firefox\firefox.exe+24848|C:\Program Files\Mozilla Firefox\xul.dll+cfe4da|C:\Program Files\Mozilla Firefox\xul.dll+1217834|C:\Program Files\Mozilla Firefox\xul.dll+1215b02|C:\Program Files\Mozilla Firefox\xul.dll+122249e|C:\Program Files\Mozilla Firefox\xul.dll+da6214|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.892{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe89.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6340.48.475603127\362275863" -childID 7 -isForBrowser -prefsHandle 4856 -prefMapHandle 3832 -prefsLen 15150 -prefMapSize 232815 -parentBuildID 20210622155641 -appdir "C:\Program Files\Mozilla Firefox\browser" - 6340 "\\.\pipe\gecko-crash-server-pipe.6340" 588 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02LowMD5=EB061721B388D0AB67504EA4E0B9CB90,SHA256=F01545312FED4B611BC377F700B6B3AD16C5792D1D6AA5F695D61D8A7B0F23E3,IMPHASH=C483AB042998E5D3F9AC1D5A7C7ABDB2{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x800000000000000056504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.882{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.48.47560312C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000056503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.735{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WKZTAV0AK0\System.Numerics.ni.dll.auxMD5=1964D64FF04708A0CF5838B9DF1E6988,SHA256=30E5029EC1D69530F1631F056368F3DB0F87DFFCA5C3E7C0D8F81706B0BFE044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.735{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WKZTAV0AK0\System.Numerics.ni.dllMD5=8E902B0115147C7B7399AC6133CFD38D,SHA256=D4DF764B7FA01B0EAFF612668AFA401B6BBE251A7F89E3B9D935479EF6259E43,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.735{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WIAV2QPVKF\System.DirectoryServices.ni.dll.auxMD5=91B2F2790B225E9B80B1642A87D19DA5,SHA256=F23B64863222A016CF4439EEDC90057CFEC21BC75A0D7D8118CE8996F42E8B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.735{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WIAV2QPVKF\System.DirectoryServices.ni.dllMD5=EB699F153BF3322C608FA8EC593641AC,SHA256=C88E1D58C19711E2951ACAD7EFB6D6F420D52D13C93B77B4E80B36396EB5AF10,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.666{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WFQN4O5QK0\System.Xml.ni.dll.auxMD5=0065E7A8A8E46E486B81AF49DEDC3662,SHA256=16EC780118ECB011D545094DA54471D9E80EEEBFD7B6FC6CC36C0950B74782BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.666{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WFQN4O5QK0\System.Xml.ni.dllMD5=AE3813D8498A050E3F1C35361CBB502B,SHA256=D6ADECF0D79D00DE226C5558372C5A2AE2F662F9A9F0BAAB1CAE8FCCB77A525A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.320{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6375D54C80B555EA94208AD68A01E748,SHA256=048F63E64D44F90BBBD308A42470AC3FB121CBD20B915D9D3954B410DDAFC924,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000056496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:45.083{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6676.4.37372308C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:45.083{43EB4363-55FD-60F5-AE08-00000000E501}6676\chrome.6676.4.37372308C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000056494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.020{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W50MXUJNJZ\System.Numerics.ni.dll.auxMD5=46C8A979AD3266DDEF725C7E593B0EC9,SHA256=44F41AE20DFD28ABE6EE0E04898C519AD9709FA50D948409B2ECD81BB20D3D37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.020{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W50MXUJNJZ\System.Numerics.ni.dllMD5=63A9B260BCFCC94E75F0B012DE2B32EF,SHA256=3BFD410197EBDCE1914F9CA077D5B2BE75A664A54D5D9B05169694327EC86CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.005{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W1OTATR3BA\UIAutomationClient.ni.dll.auxMD5=49EEFA3688F97076A8DC47723F5C4845,SHA256=D64824E803DF08D47FB0EC670C5695F98C0B58A6537ECE77006412EB6785766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:45.005{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\W1OTATR3BA\UIAutomationClient.ni.dllMD5=1C08FF101FAAAFADEFC6F118ADE6297B,SHA256=126D05D508BAC0D8FBCC8E6863A936B443B5A47E03A34F956F0514918A00D001,IMPHASH=00000000000000000000000000000000truetrue 22542200x800000000000000056553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.827{43EB4363-55F0-60F5-A708-00000000E501}6340bazaar.abuse.ch0type: 5 p2.shared.global.fastly.net;::ffff:151.101.14.49;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000056552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.827{43EB4363-55F0-60F5-A708-00000000E501}6340bazaar.abuse.ch0type: 5 p2.shared.global.fastly.net;151.101.14.49;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000056551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.889{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09D8FE0EFDFC331A9FCC2C8C2FA04BB6,SHA256=12D4219D1556E6FD80CBD9D9DB611EBB496C86C87392A24CEDCFA4BBC443BD85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.888{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD96376F35C0D47B58E1E92D12678AD1,SHA256=0373584F998CF24BFB40EDCDB74518DF3606A99A01C5FDDB9E9F30DCE8C87D7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.828{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65069-false151.101.14.49-443https 354300x800000000000000056548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.821{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local57981- 23542300x800000000000000056547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.344{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2F37BFFD846FFC75F987DDB1945DD3,SHA256=4E12867F7F49EC41ACDA0E569E8DB788058D193BCF75966236610AFA0A8D7479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028445Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:46.078{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA4CDBAB2AF5D8A0B73B01B130E6EE37,SHA256=A51350B4F4806EB7A931E3CD71A2B7C226484E433B285A866108D335642C7E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.311{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X2S77D7DWO\System.Drawing.ni.dll.auxMD5=8BA67D8C1268098CFBBA2A626FF8FC6D,SHA256=4739DF54BA9C20953325031131B36E067190CF704B808F6886195A3426F3E43F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.311{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X2S77D7DWO\System.Drawing.ni.dllMD5=25C1B73B943AFAA7C8CC9475EEB22DBD,SHA256=5C5CB8277339CD69DC9C42FD25678D6752321C18797CAA37349203D499EB5610,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.259{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WPILUDZPG6\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.257{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WPILUDZPG6\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.242{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WLMOZX3B9O\System.ni.dll.auxMD5=FD6DE591D3545BD3186DE631F46BB80B,SHA256=D9B496E22C03C6FE99055B4F3BE41057867B2190F6032B0E7B386988E37046C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.240{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\WLMOZX3B9O\System.ni.dllMD5=94AE45817D7A11DB2165BC6DF4997AD3,SHA256=45879B1C723A5AE6F9577A9BC99A145C15487C5CD4FF456EEDBCC87403041C9A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.124{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A0FCD2B4F29474A24C552DB24FC8B3,SHA256=F65DD5088AEC3F1A15AF860914351F32B69F5213EEB6B60C8E385D2651E8E31E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000056587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:44.828{43EB4363-55F0-60F5-A708-00000000E501}6340p2.shared.global.fastly.net0151.101.14.49;C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000056586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.127{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.768{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XEFBNA36PH\System.Configuration.Install.ni.dll.auxMD5=5A370DF59B981781F12A7F3A37D66361,SHA256=110B34A25634C7C5EFD6242F5A78BB129C5DB3A8F7BCD745233898DF3B63153B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.766{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XEFBNA36PH\System.Configuration.Install.ni.dllMD5=BB79E90A6CDC752EC6FA8D004D881F82,SHA256=094F1E63ED0E7041F3C57AADFEA670CE53997439B064C4C5802CE19434004860,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.759{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XAOAEWYN6S\System.ni.dll.auxMD5=97D37AFB390992CE3C6F1D4E1112CAA5,SHA256=E9BE5584192A17CDF882242AB2C104E2A185B276E589F81AEC50663E4BA6F881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.758{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XAOAEWYN6S\System.ni.dllMD5=709A692740777021A1BC08A50B61C807,SHA256=AD85D06B3912A64986318D87202BDCAD748D6E68E3B693D37459EF9874889CCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.584{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B323C3556C494BF3266004D20E592AAD,SHA256=414C0344F79B0131C2BFC1A8C9331B780156FE1E7A014CD34804515DEBF66A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028446Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:47.094{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB0DFA9B8445201E7CFE783B1ADBDD7,SHA256=7575AE5CA5054A70F544ADB7AC3E2FC659ED7692685C2023B7EA6D477C2B5267,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.308{43EB4363-55F0-60F5-A708-00000000E501}63406744C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+11fd9e1|C:\Program Files\Mozilla Firefox\xul.dll+121a0bc|C:\Program Files\Mozilla Firefox\xul.dll+13233a1|C:\Program Files\Mozilla Firefox\xul.dll+1f4e71|C:\Program Files\Mozilla Firefox\xul.dll+1227e54|C:\Program Files\Mozilla Firefox\xul.dll+4127f|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000056579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.307{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.50.4550575C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.307{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.54.139314391C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.307{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.53.117275825C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.306{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.52.11278245C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.306{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.51.78117614C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.306{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.49.172768231C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.295{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.294{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.279{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X6YBSYVLCJ\System.Web.ni.dll.auxMD5=F75844856EE6FABD9C2BF434525D8F9F,SHA256=1F40EEB68BE036B5E0B884535BE71578A36B57947ED17056394FEF8E5E411B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.278{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\X6YBSYVLCJ\System.Web.ni.dllMD5=42107A9680DD1F0C15ECA4BD0B4C3A45,SHA256=E865E3843039ED20DA42936DE4AE5A66B282101FC494E5676F6BAE458429D669,IMPHASH=00000000000000000000000000000000truetrue 18141800x800000000000000056569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.264{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.8012.2.5707645C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.264{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.8012.1.127151997C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:47.264{43EB4363-5725-60F5-0209-00000000E501}8012\chrome.8012.2.5707645C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:47.264{43EB4363-5725-60F5-0209-00000000E501}8012\chrome.8012.1.127151997C:\Program Files\Mozilla Firefox\firefox.exe 18141800x800000000000000056565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.256{43EB4363-5725-60F5-0209-00000000E501}8012\chrome.8012.0.101318715C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:47.256{43EB4363-5725-60F5-0209-00000000E501}8012\chrome.8012.0.101318715C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.255{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.254{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.221{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b3568|C:\Program Files\Mozilla Firefox\xul.dll+122d767|C:\Program Files\Mozilla Firefox\xul.dll+12e44e9|C:\Program Files\Mozilla Firefox\xul.dll+29dfd24|C:\Program Files\Mozilla Firefox\xul.dll+12bfb3c|C:\Program Files\Mozilla Firefox\xul.dll+1227e54|C:\Program Files\Mozilla Firefox\xul.dll+da0207|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x800000000000000056560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.221{43EB4363-55F0-60F5-A708-00000000E501}6340\cubeb-pipe-6340-6C:\Program Files\Mozilla Firefox\firefox.exe 17141700x800000000000000056559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:42:47.221{43EB4363-55F0-60F5-A708-00000000E501}6340\cubeb-pipe-6340-6C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.205{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.199{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000056556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.198{43EB4363-55F0-60F5-A708-00000000E501}6340\chrome.6340.48.47560312C:\Program Files\Mozilla Firefox\firefox.exe 10341000x800000000000000056555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:47.194{43EB4363-55F0-60F5-A708-00000000E501}63406724C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+29ffab|C:\Program Files\Mozilla Firefox\xul.dll+3a5b85b|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000056554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:42:47.194{43EB4363-55F0-60F5-A708-00000000E501}6340\gecko-crash-server-pipe.6340C:\Program Files\Mozilla Firefox\firefox.exe 354300x800000000000000056593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:46.664{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local54109- 23542300x800000000000000056592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:48.605{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F93CA993221DBD31FB7F893425ECA415,SHA256=0F692D2EF6AD19E32BA322FB987F886CA2F104FFDE1C81D7B3A54A0EACE0ED49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028448Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:48.109{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7559CF32F6DAC1A31BA523CDA362140D,SHA256=6DAB13789E6925AC45764BF28809537826152CB0365351B57BDEE1F5A11AE945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:48.274{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XGTN4JOG04\System.Configuration.Install.ni.dll.auxMD5=08DAC8470A6071A6F9D300CCECE11FDC,SHA256=F21F4F9BD5BEBE704971BBC058A01C007211FABC2BF86E2BDFF504394E89A5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:48.274{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XGTN4JOG04\System.Configuration.Install.ni.dllMD5=6CEF29BBBE3A64E8EDA58C8614B58316,SHA256=D6B4C973DAA83DB08F6D1013643F3A287BE92A3DF7629A06421EA2370B126C58,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:48.270{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XFM9ITHJMN\System.ni.dll.auxMD5=F974195E5ECE86B40F7C98CEAFF80650,SHA256=6FED5EE609434200BCCA2E954E4FF45678A458F016A429BD3AD7BE480AC33845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:48.268{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XFM9ITHJMN\System.ni.dllMD5=13DE7F98F0CB9EB352C90FC60D125E6B,SHA256=895BF50B6C923C70F9F96ED6117D4F5929607376E5F00531F7E0E9209D4A1028,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000028447Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:46.103{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.972{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZZT9OSN8RI\System.Transactions.ni.dll.auxMD5=999D14BCEA16BC6927359881D4D39D58,SHA256=E951F9BEEAFE791DF0F3CB3AFE9BD07BDE358EE20E01DC5F2018DDDB466EEC96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.971{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZZT9OSN8RI\System.Transactions.ni.dllMD5=069D6E12D3CAB923FD4E8AC75EE89BA1,SHA256=F4957C4BFCF882B16615546FCA8A910B09508E5520C62914203915BA51DC3DF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.951{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXIE4TWQX1\System.Numerics.ni.dll.auxMD5=03FB751D7366F1FADBD9267BF1C0D693,SHA256=5F68B3516C69DF888F1ACC44B0A716CE8E63DB995BEC4E8DB170237BC10908AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.951{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXIE4TWQX1\System.Numerics.ni.dllMD5=282F0EF6FEB85C1AA8A4D5EAED7B0345,SHA256=9999B5F5E7F6A025582ABB469F2B898514033BC187344B9CA7E507DAE28CB542,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.951{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXC84VB1B5\System.Transactions.ni.dll.auxMD5=799D1D6903AEF7B551CD4A4C6B265AA9,SHA256=EAE828D0DC70B8C0CADC0F2FB1EB4DAB7A5E36C371C4B8A27C807DE7C0974339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.935{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZXC84VB1B5\System.Transactions.ni.dllMD5=8D18FAAB7987602078CF848438C95F88,SHA256=AB760B68DE4E3D55C85FBC48423AC7C47C8A8C34FC3964E0473DA960D0BC3C5D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.935{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZWB27RLG8P\System.Management.ni.dll.auxMD5=DB8ADD4CB7AB7C2BECB6E5D2876DCD98,SHA256=C508A4E3185C74167CBFDFFFC0296BAE94CD0406996404244EA570FE5FD4FCDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.935{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\ZWB27RLG8P\System.Management.ni.dllMD5=4840576F30CADC46214E01EEB1DDEB0F,SHA256=182B6C71998AA6298C694DEE7047C8D4E74228A3B112BE72EA26694380F7E86B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.872{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Z9ZNHXO485\System.Core.ni.dll.auxMD5=FF4E2C92B938268E23AEED9F7BC732F8,SHA256=19FC78637B8A3B2A736A0ADD2E08F35E595E8854D68B668FB03022BD4AAECBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.872{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Z9ZNHXO485\System.Core.ni.dllMD5=95173A32BB22297C898788BECB82637B,SHA256=EA0063A4BEF0AD2C8C8BECBFF53222AF78D9E5C3199903A8CFCEA2E63BB78C24,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.620{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73467D7F3837BF557E852B167EDB444,SHA256=83C3CDDE93E7953CF962738F8ED12CBDDE2D3787B6E0431A2A0640C894B62243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028449Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:49.125{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2450031454D2F43AE46D191D1CCBD9,SHA256=E396BE2EFC3546D66FA733B96956BBC0B2A0387F1E2CE11225908BDB1174C35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YW6H3N5KJN\System.Core.ni.dll.auxMD5=837ED7C37327AAC0A3D72346C92C1E33,SHA256=03CCB7D13D93251175DE2ABAAA91E995C4A2FD627167E2E150B73A0B68C288FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YW6H3N5KJN\System.Core.ni.dllMD5=FE8274D8E31521C1EE127F0B9A468B11,SHA256=5EC1AB20A6FC7C8B10B5915D6BFED9B96EF524DDE933816D521A21239C339D16,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.089{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YM71E75P9W\System.Management.ni.dll.auxMD5=57977DC6FB73B7EF9F0429019FFA5061,SHA256=4AF54F621129F716BF4E9F92298BB592D79AFF11267EE8784D371BF3322E9209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.089{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YM71E75P9W\System.Management.ni.dllMD5=C7C2C0EC4382A20A53972E3E36772AEB,SHA256=4D17386AE4FC46A77C2BF66733B014E6E19C8BD7864D6CAD4606DFE286FCC469,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.052{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YBIDL94MA4\System.Management.ni.dll.auxMD5=9E113C3F173739443B36B19DD5C6669B,SHA256=E6D1A62EA7C191912AA011D805E8000EE89FE7281E888EF7A398F4FBA9AC4182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.052{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\YBIDL94MA4\System.Management.ni.dllMD5=545B093E8C7408982436090E8E13BA3C,SHA256=CFFD545D318D02B523B06E28AFD09A3649D013965B45986CFCAEE54A07AF0C1A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.021{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Y4IA8CF0NY\System.ServiceProcess.ni.dll.auxMD5=29E6A003183458CCF64AB3D7FD5E09A9,SHA256=60A7576757C609BEA9AC9B80C89C840C25628B230A49E43AE3297DC76FAF7D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.021{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\Y4IA8CF0NY\System.ServiceProcess.ni.dllMD5=04E405537AA94EDFF3323F0467D26778,SHA256=68136A857028E1F557F9FBB105346CC072FF372608AB0F448A7BA6AEE555D34F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000056595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.005{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XVFFVWAZ7P\System.Data.ni.dll.auxMD5=1048C0ED575A23FCAAD4A2A3D4AB051D,SHA256=4BF180857736CBED625371F3063FB75AFDCEA6BB064FB787B1CE79717F5B522C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:49.005{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\temp\XVFFVWAZ7P\System.Data.ni.dllMD5=97B08C7C842385FA82BB242375C02597,SHA256=12EDACC3503A34EE8F82B27C2E63D46FEE7F5C01CC2D8838A5ECD39FC615074D,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000056625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-572A-60F5-0309-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-572A-60F5-0309-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.752{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-572A-60F5-0309-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.753{43EB4363-572A-60F5-0309-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.654{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73196D41EEA742130D5B3969C58CCEEA,SHA256=31347BF394579D5E1861AA27EA06F3B0936680B799648235D1FA56A8B9C3BC56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028450Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:50.141{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35BC0E7195C52A0A089D2516C5A8906E,SHA256=585A52580C7DB251F6F1103CABAFF3968AB26379FE00AE354DDDE30019A6BC45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.488{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C2-60F5-7508-00000000E501}1960C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:50.488{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-0F00-00000000E501}344C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028451Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:51.375{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA3482A9864CCD4434DA786FFDEA3FB,SHA256=6408C34C2F03AFD01143ED60796F042D6E62DFDE9A572D6AA9628EA15BD31215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.945{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.793{43EB4363-572B-60F5-0409-00000000E501}75047276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.777{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09D8FE0EFDFC331A9FCC2C8C2FA04BB6,SHA256=12D4219D1556E6FD80CBD9D9DB611EBB496C86C87392A24CEDCFA4BBC443BD85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.714{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F996CE289CD479B9F764C43770C9CC7,SHA256=8EAF9C6018F83C9BB55D5E6C08021775F368C45EE96FF00610D3D570AA2DE6F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.614{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-572B-60F5-0409-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.612{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.612{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.611{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.611{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.611{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-572B-60F5-0409-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.611{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-572B-60F5-0409-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.609{43EB4363-572B-60F5-0409-00000000E501}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.111{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EC779516385F1DF78CA7783A5813F9A,SHA256=8C906DC1BC76B5374AB2C8AE37AF1A6890ACBD7BAB412A7296DB5255CEBF3934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.109{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B0B023C4DE056F1059856F419B5D9D3,SHA256=826D2E10A94563C3A50A1E990D7E736F4888F42573AA77A58C635A21516E30C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:51.102{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.907{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1300-00000000E501}676C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.907{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A6-60F5-0C00-00000000E501}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.907{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C4-60F5-7F08-00000000E501}2180C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.907{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C4-60F5-7C08-00000000E501}3780C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.729{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D289965D8DF54622AF86D345473B356A,SHA256=DF59893CE2746271B9878D367CEB55E8632B5CAA73B3794488838764070E0078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028452Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:52.609{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6285B267A46CC7EC299662764F5589CC,SHA256=2302616F0E6BC20145C69C50D3515B72F07A92444BEC397F1C681E0242807A68,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-572C-60F5-0509-00000000E501}7252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-572C-60F5-0509-00000000E501}7252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.161{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-572C-60F5-0509-00000000E501}7252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.163{43EB4363-572C-60F5-0509-00000000E501}7252C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.145{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EC779516385F1DF78CA7783A5813F9A,SHA256=8C906DC1BC76B5374AB2C8AE37AF1A6890ACBD7BAB412A7296DB5255CEBF3934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028453Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:53.828{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E92BFC62941D8A3D97BAFC5714CD53EA,SHA256=26E77C63123F2712DC0EDE0C4B1ABB13C154D6AA22E3C7D76BEF87EBD6546A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.745{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB660CA0FE36C2871EA310E74571FFE,SHA256=DED56A5D8D40ECDC11175C38F16DC1129733CF58B5E24F9292A998A6643EACDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.328{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.213{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7FA198DC2332D22D30984BF9BDEB7BD2,SHA256=EF358935D498CECBEA36D3360BC1C8BD6FC44AC4C913B7EA5EE6F5352E68CB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.175{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1D8F4A1627BF2B5F877BF936B73E35F,SHA256=C66A34B787823EAC63929194772438E12F5A9C60D64593C5E721A90E218058B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.931{43EB4363-572E-60F5-0709-00000000E501}25764840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.909{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8A08-00000000E501}4852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.862{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-572E-60F5-0709-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-572E-60F5-0709-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.762{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-572E-60F5-0709-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.764{43EB4363-572E-60F5-0709-00000000E501}2576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.747{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E3BB9708249C6DC497B1EEB00D5912B,SHA256=FA7EB85590F653EF7468119F443E623B9C51F31A9B8561AEEA483D753C4A1012,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028454Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:52.024{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.660{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=849C6DB78ACBFE5015C0DAC674F7E625,SHA256=FF44A736293BEBC96AD8B7E74BAF1235AA149B79543C88E2E441DF84E0C2A814,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.459{43EB4363-572E-60F5-0609-00000000E501}75847620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.244{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A07D22C503E624854865FCBB6E9CF948,SHA256=D759B80F36FEF31F7672075F91A0009B790C7E5A0B88342544D9573CDFD1AB33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-572E-60F5-0609-00000000E501}7584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-572E-60F5-0609-00000000E501}7584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.229{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-572E-60F5-0609-00000000E501}7584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.230{43EB4363-572E-60F5-0609-00000000E501}7584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:54.113{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:52.044{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:55.793{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5552B1FC2768EDE98B410330E83C455F,SHA256=537439FD1688E18A70D562F8A772C9076E3014E43F664A8A73FB3FDA4734F094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:55.762{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D179CAB500920B6C4E58430302D3A9EC,SHA256=D08845737329504002A21AD7DB29A877A9EFACE3FC59524F4EF6904BED48554E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028468Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-572F-60F5-F405-00000000E601}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028467Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028466Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028465Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028464Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028463Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028462Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028461Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028460Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028459Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028458Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-572F-60F5-F405-00000000E601}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028457Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.672{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-572F-60F5-F405-00000000E601}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028456Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.673{53AF6CEB-572F-60F5-F405-00000000E601}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028455Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:55.063{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55A856A6A7AC8BEAD6E9232FDDA02430,SHA256=B5F6E08E9BBE57A6C5B37582211D35B3E585FACAA6B2CADD75B63D69AD54F720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:55.278{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AA5CE1E5F4752B501302E2F59C69D41C,SHA256=FB27DF64DDA47D51492A8954F8A697E523075DD2378D3387F916EA864080811E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.578{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65072-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000056684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:53.578{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65072-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 23542300x800000000000000056712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.913{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.913{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5730-60F5-0909-00000000E501}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.912{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=86919EA02B22AECDB45CBE142DC90841,SHA256=31B26CFAA610A29AEF68FE20CFB8485F348F96A502ED46F5E3B09ECC1E1953D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.910{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.910{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.910{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.910{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.910{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5730-60F5-0909-00000000E501}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.909{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5730-60F5-0909-00000000E501}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.908{43EB4363-5730-60F5-0909-00000000E501}5296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.909{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=7F317D6B9B84A07E133ABA33521367DC,SHA256=B5968B65650E20A4EE1C9E104AC7DEC4DC94095D30DC756539C4B72831DC490C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.892{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.777{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF13ACC1DB38D82F0917B341D39E02F,SHA256=7D33616F299DE5D4CB9A818B9385ACB6EF372021754BDA456C193DBE7E236B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028484Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.672{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F0ADB902E05E19F3F1DD555850F59D,SHA256=CBA7146DB4AD25447D0B557D90404D7A8263AE69E170E64B57FFF8CBD5BE4A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028483Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.672{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D04892B0C8C950349359F687EEEB6A4,SHA256=4B4366B795B4A56919CA1DC9925F8410CCF8BCFAC7A470CAFD4723C6C3BFEE78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028482Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5730-60F5-F505-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028481Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028480Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028479Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028478Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028477Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028476Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028475Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028474Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028473Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028472Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5730-60F5-F505-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028471Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5730-60F5-F505-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028470Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.344{53AF6CEB-5730-60F5-F505-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028469Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:56.297{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E93FD031529C09481F0EDED58E1C0C,SHA256=1020DB17EF8631D10724779D8EDA552AECB5CF965785EC963B033A4FFF11F1CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.561{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C4-60F5-7F08-00000000E501}2180C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.315{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2B6E5B3D4CD9104283C3C0E7C1D1EEC4,SHA256=E7CA500D2CA51EBCB1634A4EA9CC60BCBE1EFC5EFC6B82318275F0AE6DD37159,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5730-60F5-0809-00000000E501}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5730-60F5-0809-00000000E501}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.230{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5730-60F5-0809-00000000E501}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.231{43EB4363-5730-60F5-0809-00000000E501}6916C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:56.212{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028512Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5731-60F5-F705-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028511Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5731-60F5-F705-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028510Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028509Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028508Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028507Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028506Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028505Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028504Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028503Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5731-60F5-F705-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028502Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028501Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028500Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.940{53AF6CEB-5731-60F5-F705-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028499Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.938{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B04B53DC4DE06BDA8B6917B565FE395E,SHA256=11FA232BEE5E5959CC9A77A26F4F3CF14AFB3AFB2B82B2BFE90F2C45C347AC38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.791{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A1B0AC1960E43A2CC571E219DD3433,SHA256=29F374DF88429BCF5D5096995B5CEE9534C81419973DA40AC97ED64F68C150B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.560{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.361{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7571A72E5C95B8BBB2882184E0F99160,SHA256=AF42C7655B4AA05EA99F3E79BE8D7562AFC1CB4227DA8FF3B93AE2D7A59B2701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.261{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=325C6D0CD8BD96A4F2F2CDACD446D2DA,SHA256=220B5E24A21EA470DAEA7179EA4D58645113A72F463DC0A19630EA1F1925A29B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.076{43EB4363-5730-60F5-0909-00000000E501}52968140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028498Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.156{53AF6CEB-5731-60F5-F605-00000000E601}10523460C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028497Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5731-60F5-F605-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028496Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028495Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028494Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028493Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028492Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028491Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028490Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028489Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028488Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028487Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5731-60F5-F605-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028486Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5731-60F5-F605-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028485Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.016{53AF6CEB-5731-60F5-F605-00000000E601}1052C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028528Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5732-60F5-F805-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028527Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028526Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028525Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028524Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028523Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028522Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028521Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028520Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028519Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028518Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5732-60F5-F805-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028517Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.984{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5732-60F5-F805-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028516Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.985{53AF6CEB-5732-60F5-F805-00000000E601}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028515Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.953{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C7BF790C66E8CF314DB041D2785DCD,SHA256=9FC5FB2EBE2C3A039A20551C50EE8CC36261B60C4CAF249ED7311A1053630C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:58.809{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39EC4AED7D9C5012BC38071C10D31EBC,SHA256=5002A1D5A0F98000D01FBA0EAC91573169B5598742F56F5E0E8E8C327FBA645B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028514Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.094{53AF6CEB-5731-60F5-F705-00000000E601}34002012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028513Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:58.016{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F0ADB902E05E19F3F1DD555850F59D,SHA256=CBA7146DB4AD25447D0B557D90404D7A8263AE69E170E64B57FFF8CBD5BE4A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:58.407{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=66034C94F9AAACFEC09815519013EF1E,SHA256=A40BDC2AA78039ED7E51AC5FFD18DE972CC93B26306735630C9D1C638BFC664B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:58.060{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8A08-00000000E501}4852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:59.828{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41B1B5F04CC2882655094859AFB1719,SHA256=AE33345BCCA441EE8EACF50B6F7639DE476CB15199D16931E5F7DC566E1F8AFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028543Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.859{53AF6CEB-5733-60F5-F905-00000000E601}28884052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028542Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5733-60F5-F905-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028541Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028540Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028539Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028538Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028537Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028536Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028535Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028534Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028533Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028532Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5733-60F5-F905-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028531Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.656{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5733-60F5-F905-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028530Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.657{53AF6CEB-5733-60F5-F905-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028529Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:59.156{53AF6CEB-5732-60F5-F805-00000000E601}15323852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:59.412{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9FBA8030AFBF714B8FED7773A1A80131,SHA256=9940AD049145EC1FFD508E45925FD767F93304BAC4E2C39484D653AF98743491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:00.859{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B5F70CFA123A34D82056516E82EF9F,SHA256=A32E30DF16C0AE84593E5D91D45F8F38187CB7E97D239142B4A43BEB9D33996E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028546Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:00.297{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F54ECDED2BCB83B6C0FC7D01595A1A12,SHA256=4B77B466DD16F4047235495DB82E803594E3ADC7B237DC96D9C55A20355EEEE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028545Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:42:57.993{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:00.474{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4C31BDB4E47EC6D50458B7B9D1A5C7BD,SHA256=EB9C73C0CD8966A39EAAA75B62751446226143C59471C4412533C928FAD60AA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:42:57.978{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65073-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028544Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:00.000{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B88BA7BA222C3F2692924FB1AA9FB81D,SHA256=7F95B99666009016999C9C2B261509A7305C3B891A036201FE5CFBF8865578BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:01.988{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE879FD9B31A31A311C55C07FE88BCAF,SHA256=1425788395BB4C6BA954170A1BA0C46A5C918AFC3F936D8214C520D288FFC637,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028560Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5735-60F5-FA05-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028559Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028558Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028557Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028556Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028555Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028554Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028553Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028552Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028551Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028550Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5735-60F5-FA05-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028549Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5735-60F5-FA05-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028548Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.438{53AF6CEB-5735-60F5-FA05-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028547Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:01.313{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0533DCFC96996F0125E89654A59AE30B,SHA256=7A22A0A0A7394172690420183158781A689D0079E3CBD6FD70736161901087EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:01.511{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9F753B674D9FA9071F8CC765505A2C95,SHA256=7E0373825EA145B76841AC22F1385773A893C3FDD3E474055E8EF6C1C245C8E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028562Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:02.536{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F222B61B8F74EED40CEC29EFF6352C,SHA256=4893F0E69F38018F29B52A23FDB3D72020F4F1A5C8E4BEBA28253C959C6285F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:02.992{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C50EB94881554E06091D470F2C1820,SHA256=CB973C796FEE489C5280D7352A2E5D5D03B12E3C7FF89C9551D6B4E4BD8DEBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:02.545{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2FD4C1BC85D796C28954619B5BBDCF35,SHA256=7D8B7C3F411F53C574F801E29888C00F2CE23049415EDA38CD4F65A013A251E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028561Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:02.458{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14081448347739268F7B209E2227D2CA,SHA256=9780597538E0A41D07BA1BCB9E10B351D82EAFCAA3884D317A796C422B55F865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028563Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:03.770{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=409631529FB0579AD5EB59506B4C201B,SHA256=41F537D7367FCAFBDE0707517D9585CCD0345B5B76B432482565F95DF6944E7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:03.660{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8908-00000000E501}4428C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:03.576{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=86DA9FAB8C8194CF154780F884325569,SHA256=E7F4F3528ADB01889B4F04C7725129D79E5D5B150846F2C748A7AF7E8106ADD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:03.291{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:04.643{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6252BAA605A4DEDC1C00223F7563D87E,SHA256=9019603C61800D1CFDE90246CA46830BCFD31B379B898DEFB5743DBC0E96B8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:04.590{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:04.060{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:04.010{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AA2157CE1693904405902AB27C2E77,SHA256=01D27226381B473031C0CFE81BFEB9014415E8894CD839C5404919137EC63377,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028565Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:03.107{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028564Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:05.005{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059879DF4AD65DD7B22247B90FA8552B,SHA256=4595763C0EB52AD4EE255B1462AEC3F02B77BCC7FB2F792295ECA753009B65E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:05.674{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=93337FD73FEE5B100F7B692BEA58C0B2,SHA256=BE2F12FEAA1FF09545E467E9D1D4359FC6C087C84C8E62960F5F65D6AEBFE496,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:03.093{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65074-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:05.027{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1FA44025E6CA4DF61FD60FDC057326,SHA256=106203EE0591C9EA70E7B761A0552792BD9097E12728EC73BE7E8AA64F722E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028566Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:06.020{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7631F2A974FF4155A53580B1771E09FA,SHA256=AE86B42F5C903C6B2010D63B351FAAF62D9BD39A0DBD4AC9FBABEAF0F9E09A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:06.811{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:06.709{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CD032AA985093D95DB1F4E990A3899A3,SHA256=BAC4DBD087616B93192146B37BF536B43FF39F3362C86188C865F1820EEFBEE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:04.508{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65075-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000056741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:06.111{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:06.042{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172790F40E52FA86F58BCA43DCAD3CA4,SHA256=E3A645144CE1D5A21FA254373BBD3EEF070DDC0C79DEEF65597C2999E05523CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028567Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:07.114{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A25164D4A125139B6870ACEBA830C53,SHA256=0189A22DABE64BF5013DC390BF3E72D2962CB17C2AA06CBC2638B71E633466AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:07.743{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=136643211E44BB95972536CD8C43F93D,SHA256=DAA45793C2E9AB821F82F7C2C281296E4832FC76A2D4497323DDA0E9FE504C30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:07.507{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:07.043{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF6438DD94847AD4273BF02A2F92F06,SHA256=8003D9315436ACB2465E3DB9805A1F94F7D0C98857F5F6D2FE4624BDC7336A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028568Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:08.114{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B45F1C6A322F22FA2CF34A91D4C11F2,SHA256=08F83B898CF40F6E98A554494D59A48E896F9D7CE15D49BC4EA1A677BABD086D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:08.842{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7D4115147A1A12E26180870385E9D510,SHA256=3CD15C738C2852DF91411ECFC90964E3D3F6673FA77F8B67886BCFC656E75568,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:08.358{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:08.358{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:08.058{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFED1D4EF2FB0D4F4C514E06E1123A89,SHA256=926A4A2B7C3C39705E1A757DB87BD615B4B448EB65312C3E54B2B2E0C6CB4AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028569Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:09.145{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3A0B129125966AA7AF929EA57DDDBF,SHA256=4EE32E4FD76EBE7399858EE4531F5D8DC1C054BC4C8B83D01119A6F859C73C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:09.973{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2DD2E6122FF411DA7150D684AE28EDCE,SHA256=90F5B3435F4847F6E3CF73C540C2F7323950C65EA2796122F250E52F8A77136A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:09.511{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:09.089{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB13092087478877DD2F3757A3704BE,SHA256=F509B91AE6886C511EBB57F7A37118F3B44651DF3691481A96CDC90387FC7977,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028571Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:09.044{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028570Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:10.380{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=685BCCF6EB74000868FD8CD420F050A0,SHA256=09720EEB4DBD19CC9FD92599A3CC918F1CFF47D480F4B51C141028B283FB2080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:10.987{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=73D8ACC4A7EBD27ED374346EDB12882D,SHA256=FA0B5C92AB7B3ABE34CC060D8387E359CF6ED54F13377674CF6A06C0F2A91C8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:10.809{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:10.157{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:10.110{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E196F478069B555C887F6FB7AC7838C3,SHA256=FD3A654185CE6BEB20F297B1F68D84C3823E6023A79205109DBE2DF2BDD54D64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028572Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:11.505{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515AE0DC51B84298E3F037D2DA052EE8,SHA256=4F0497BCC36D4A90612039F272254B461A5B0F561DD4BD94795E1AD221883A19,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:09.023{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65076-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:11.130{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=701DD91A469337617733AE4E1B57DFA4,SHA256=22BA6EC5AB8A41AE3AF62589CC25B40F2A83D7CDAF33A1EDA246BBB574353C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028573Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:12.739{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010224F4059147E407D177CFB580A932,SHA256=6FF8EB760D5AA87E9AC2257E0C9ABA9C8F2A8A1CE6735053E1CEDD308CF0886B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:12.829{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:12.145{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FF0F59C76CC4B5CC9822AC034C87D5,SHA256=40FADEF9EA807843A743365369599DD4E25F0FE50568081830247C799DE1DB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:12.013{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=851A62048CBFC92E993B54A57FFCCCF1,SHA256=8C2B79D92D0C3A8D0A30E89C3CEF95CA03E0C7BACBDEB90CDA92060D2997FF78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028574Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:13.880{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=476173FCAC668F7F76CDD6D9BB25E084,SHA256=BF2460D4F2B71BA4668C40A1A755E201D0FBE59DE11C085AA4C24F0FFDFBA6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:13.160{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28F10BDEE760297A0883E545ECECF043,SHA256=524A93746D89B319CEFAC874E55A0D4587C790EC40EBAACBAD19E8ABF1672566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:13.060{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=36FF545DE5D486629FF88B6E09C6F108,SHA256=1DD6205341E902674A5C86BED109298BD3C75456185254AB82420BCD8FB22E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028575Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:14.895{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCA4EEF86E480DAF666D60420F22DC8,SHA256=35EF31391515478E7600E558160453E2A0E712A2B19551C585EFB26B352C3139,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:14.830{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:14.177{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:14.177{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC6A90C8B8A56346D9DDFDF281E31C7,SHA256=AEE90A91E15AADC284466DC9A7E311D9D83C63EC971C61DE140BC419CFA5064E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:14.092{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1BDAA0EFC314C5D394491DB8085AF13B,SHA256=9A0C2A71F8215513C7DB7DBB8CEE4FE6323F0B311397454AEABE807C5601AA7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:14.006{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A6-60F5-0C00-00000000E501}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:15.577{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:15.213{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B5D4AD4C3FFA038B47251ABC40D25C,SHA256=AD1D6AC8FA90FA4860E82703D005BD6DE482617B02F1935A5127F8F9C36C19B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:15.114{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0B177F830468587EE90570EEF36DD5E6,SHA256=0D1104D44BD0628B3E4F9B4504C786EE8AD92D96C22AE4FC7D841B24B05ABB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:16.910{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:15.043{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:16.246{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B234053DA7006CB6F9B1510DBE12ED7C,SHA256=C728E37629B129385C33032EE39CF092C12E4DED88B922B6462B28BCF277D5D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028577Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:14.982{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028576Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:16.098{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A28B83865139A5C6AA46F2E7D90163,SHA256=22217894CC3EA93C219DE6380AF09C25E6446B4F55573448DEF1D509122F2D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:16.161{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75CB526037DBB9BEDA2F7F7DA5BC050D,SHA256=F9BC1A547E8FD806FEC79BD443D97EC7ACB2CD839614521785DB26242E35C12F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:17.530{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:17.277{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A7A4FF36F33389C19C73F75EF815CB,SHA256=251BC89A3F017DE86FD11C8490E4C1C6E74DF301F05EA3704219AC1027F7E528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028578Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:17.145{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33A3895DB1DC0228B363B765ED28F5D,SHA256=FD5A186A1FF3468D0F6797DBAA9994EE622063C3898D6E2C1C8046B669CA2623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:17.192{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5634B54598AD3F5D246DA0342A63D2CF,SHA256=12E0D33981A7DD1D7D825CEDBB6A8CF16D1F80FC5C02571BE44BB6712B8D57F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:18.346{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8175B40E10CC79BFDB1915339CF0FEEE,SHA256=508FE458C87F3920DDCA1487D442843308896F601F5B205E626488722C7C0998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028579Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:18.255{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B607AE9C2AD88F3804FE94CCEA0E7C7,SHA256=F66F628774BC189C4B2BC94302DFF4F4464FD60886F607DF7518B88EC82B5065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:18.215{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6D1B21C0B022059ABE925F31B8EDEC99,SHA256=E31CFB81484B159853C5DF28E29051CB004BF8D6D3B76CA73E1120F35F333834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:18.194{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:19.594{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:19.362{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=289FFE16D7B677770DCB223890691910,SHA256=9AAA93B4362986A417D9973C18EFE4109C07E82746760A59C1834057B386F7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028580Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:19.270{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC21ED03552C7313F0C5E47BB32D3E58,SHA256=918739D6ADEB54EEE74B2154E77FEEE2D8CBBBC5BE9AB98EBB8289A7A560A7BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:19.278{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CE93355ABC3360C89972AF61922FF520,SHA256=019C32D75935F67B4E03C2BF79E8D631F6AB2006902E71070941B3A6FD9BA27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028582Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:20.942{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9C072C0347131C73DAEB90472C32B185,SHA256=76059EB2B38AEF9F1843FFB563CCBE1F7EDFB610E2361E663D2BCA956C125319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028581Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:20.270{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F24D1525F31C360027B9C8FF1C5CEA,SHA256=954487A593755109FBF42BF12EE0CE21F85C256B214007CA5E2109C9C4538D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:20.377{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3230B03EE210769D482DFE9F895E9F,SHA256=F9A7F0F94A7E2926914D7D2165ACF0B511B17DE5AC1AB2506AE1C66D3EAEA78D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:20.330{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:20.293{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=451E09DD6622F46A5BCCB8AC2B44DFBD,SHA256=E325E94CE24B8D7012D96EB16B2BE85566C634B20A5ADBBE78E45F03197273BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028585Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:20.138{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028584Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:21.489{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1154AA5143A812416D4D8E16ED453A,SHA256=A0C5EEFD1D4F8E0AFE5D8BDC95C91702462AF9F197A1AB0438BE9EF5B6795C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:21.411{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA176A967094954833549E40EA249999,SHA256=4374259552DB2161FD724EC0744413D2C23D3791B7AF71B61E53E56AAAF08CBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028583Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:21.333{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:21.308{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2997C79D8703599795632836E3B26E10,SHA256=839716D92398FBFB400BBDCACA0AA1308A25F760784ED4F9ACD4FD9E946D819F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:21.045{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028586Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:22.721{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC08952DEB8C9DB17741F1A24D6327CB,SHA256=8A9CC8FF4B8324A613F31D2509A5BD8807DBA7291F9C3940C02989568401ACED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:22.444{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950AB9E64A181967015493292F86C7F0,SHA256=CD7A964220E8938FC27DD2F3AD203A3BF840387717C00B8ECE55264374DEF634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:22.428{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:22.313{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=92900E9FF68D401E0CE06C4AE422D890,SHA256=625A4E5D68EF87A040B9226A99FD7405B5C5B784285E46829792955F4F1B97C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028588Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:23.877{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF442B63F1E4C446CDB99336CC29D313,SHA256=6506E6F568B3BC78A311A55936814C81571873387606DA9AA465DD9E09BA332F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:23.811{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:20.978{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:23.458{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10804607FCD72E3812EA29DBD6D5635F,SHA256=4624BC903C4ABCB8976F2E85727CA8636DDA5BE6CFDC5363CB75A31F98CCE448,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028587Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:21.201{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000056797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:23.358{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1EB19FCF657AC68F2E009D2FFB4FE14A,SHA256=27DE1C7E77B356F6D002E260A79889043BF640993FE9044D28F222375B3549E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:23.112{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:24.705{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FBED037E4C3ECAE6D84DA2A161FA8B13,SHA256=5C8A24F44BA289C019BE6765541565A38C3C9718B1E4268478C90B4E4888D562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:24.573{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7555FDEDDF8BB9431D9D4208AB9259,SHA256=AE037031E472E0C5BF70C3C95ACF256D14FCA5715A57B5A2EF086DD815EA083A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:24.411{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8B9D5D779B19629B3EA00F3F7A5F498B,SHA256=8F07E2D0B59479190CB206712F2330E00FAB0A03D5D02F7CDB9A251358C50A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:25.957{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:25.607{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471BCEA6F9A26BF174FFAFAD066A24CB,SHA256=A6BACEFB00FFB0E1A90C788BB740AB6FB856D1486852455624BF5D56D7D1E55B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028589Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:25.111{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67109107403A31DA3C5F01C1D753D6F1,SHA256=1782F805E1E0899F70C42F175CCCCB7C2DCC3707D55E9E72D79A45D87C51E3D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:25.488{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A13CA3FAB0CD93DC69FA17DFC1C8DFBA,SHA256=7E7FCCA935C4D8A4653790F1061D99FA6CCE8BC906EBFF73CF2AF57FEA3CAAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:25.210{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:26.706{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:26.626{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F64D870B24593844BE4D0DB56DFAD73,SHA256=0195024C827FEDCA3B3C7ADC62978871B791471F7A200B5CA4D66C9D8AB47B38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028590Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:26.346{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01425AA7143C66AA0A64B8D378F868E,SHA256=5725676EC8BA42AA48619C3EBFC2F18875D25C74E4FEB98BAFF05DE2F0036A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:26.510{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FA251C746CFA027D9C29FD9D050BFB74,SHA256=EF16033AA91E67F30741919BBDB15469BC9D34A3BFB4F6476F1E39D6A9DBB090,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:26.091{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65079-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:27.656{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8D87A82F47192C8F1D2986ECD90D51,SHA256=FB546A9A30DE8A820FA166C935AB55C25815937E4BDD67922A7E68DF2769A9CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028592Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:26.042{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51235-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028591Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:27.474{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0B579DA8C3C808F867011FE0257209,SHA256=321B097AF1B37CF094BE9F950F2736356587867F24E9FB22C40CE630C71BA29C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:27.556{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EBF4A9EC1BAA147B788541988309FD20,SHA256=9A20EEFF9669507271D2EDBA61FFB47CDA389D7590160C78B742963D10DCD3C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:28.672{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE25ACF91AA4D942956A10A4BF28BEFC,SHA256=071132A1266983390629A74D10E667B5476880B018BC6981DD84D4EFD2D45D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028593Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:28.488{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B7829D9E2C422FCA86C77F438F24337,SHA256=FE50A4305FC24B13B0F549DDD9D38F3A16852A0FAB756B80FC31AF5D79E5C48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:28.610{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AB76FD7F435B8127BE6F18F443A5C773,SHA256=8F6F21475289494018FF29DD893E3CC6761194E9648011E70ECED188D272AFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:28.325{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028594Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:29.722{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6591F90F055C87389EEEDD2EF85FA44,SHA256=D627691D57515F9E48F5FBCE68E7E834EE56A4DEE9BBA3F663F65643A5AB809C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:29.771{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:29.707{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39AC8F72AD8EB00E50EED5255E510E7A,SHA256=CF7F40B94D12932F1EB1A550756EBBC2CE7364C3912495EA6484F30A44A9D894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:29.656{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3D2D0140026E119DDE60680199612748,SHA256=1C9ADADBF7DC1212C6B0784E85BA7294A0ADBA8797B4DD52513F7B0D25639505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:29.025{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\assembly\PublisherPolicy.tmeMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028595Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:30.956{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9359C226797499C56C6358D0209CBAF3,SHA256=4EA57B21E07DD684666CDD018F4C6DCE8F65E132991266908E54C3435AC339F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:30.725{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20F1B002A9DF2F46F4092FF15EF7F6C,SHA256=C2314CDA0BFFF665E425C9349577ECCBEBEDDBE578301C50E23BB488DBDF108E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:30.686{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=535FCBDDAA48F028CA68A3E170F768E4,SHA256=E233D6E71F1CFC606032AB6F1A62275841ABE8A50950CA5DF571F65D33E82D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:31.739{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47197B31321305C53F7C51531A9CBF12,SHA256=31A55A57584B28F4BE7FF86E744DE7FB70BEE0BE676589A030D2B67A8D4D6360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:31.708{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7E9C85F98CE6534D2E919C28F900E8C0,SHA256=D925680A5AA59D37583CF8D8FA98E5DF969C6C6753AA97FD55F48633A651300D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:32.754{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB9C57635F10AE01458C7CA6BF9EC8A,SHA256=89A7EC91FB124DF35BF1BA0563D04C1BFC2BDCF7242AC03C27DA767892C4AEBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:32.754{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2FDEDF7474F66BC50AE292F86FFB3F0C,SHA256=C84054BEB1625F360436F419FD956F819CFCA5DBEC0861882BE7383FAF984353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028596Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:32.191{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC8E36B66B730ADCF53D2748422FDB8,SHA256=6F9A36AA24543A30B3C86CDC23C2100E7BB8EF3865F071A6EE0FB31A20104340,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:32.019{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65080-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:33.803{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9FF15C3F567336DF277C477F271FBA,SHA256=AC21C61E1E917A9D38B7D368C18586A0100B00A9FE95662C9F70BE64F897FA3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028598Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:32.027{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028597Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:33.425{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4E786B51ED88A9C1204A2208A1F1BF,SHA256=7A3BFD04C0DE53F81C47A3619BB0CEADE67424EC66306B8DCEEAB4F56775873B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:33.785{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B6139B04AAB221676BABC20669770191,SHA256=57AE17A5470BE70D8414F6C19E199C537986E1A3E8CF4891E62047BE9B87B27A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:34.853{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC0FE5E06E772E0FF0DEBAFBCA6A416,SHA256=E175835E89673C27F244B4F67C11958C0277DBD3BEB81CEDF1AC09FF65802B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028599Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:34.441{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E111C41E9D972F2369F6A2161D77FB,SHA256=402D66C2C28B11869E76DFFAED3558012049B0B58AF234289BAE76BC2F5B7A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:34.806{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D32CFD75BF2067193CA9E1E546AA62A2,SHA256=9F81E7F3274763550DA7796F87774A015152C5319A95CE7111BC03D6DBFA9A6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:34.105{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24A945558D48D5900377263E4EF12A5E,SHA256=B69FE9CD6399F618721EE32790425B9FB5AE57883F6C68CFCF90AEC4DB400D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:34.104{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E773180269C5586E15906BABE9D07B79,SHA256=09F4A0FDF5E5551EB1D5D3EA64C1C15167D148319A5B11AE5BF836EDB2F44D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:35.904{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0D7B2CA737E1BD40155DFC92B3BDB28A,SHA256=22BEBF70D5C6E85C22D5D802341A5854B282377F9A769C8C78127982A04C7466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:35.867{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE1766C87C842498E570B752BF04E16,SHA256=2EA2E49851A3D48C56365FDA371B18C0D54D9FAD055D84FA616EA82433E281CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028600Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:35.456{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B40BC613C8BB905EBC90174741D89C,SHA256=0BABB4A540CB77BAB3D8BC44A7003C21D74D1F0A63AC766B2C643A4B5CA17678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028601Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:36.691{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5E7503A1D02F18072560CAFFD313BB3,SHA256=128210FA96E98C51258C364BCE37A9CD85736A993BFDD62D2B5075D0E48C66A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:36.935{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15E313E54B75EF273E36F809938ADB42,SHA256=FD31A6926679B6D0ACED6C011C87AFC331695D959117788985686C65D2E2B0AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:36.882{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94831D416A6EE2AA51554C470F410A8,SHA256=14845F0658ECE816319D0FCA3D90316B65EFE6315AF8003C2ED2F895EBBE5283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028602Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:37.925{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B50C95F822F1B6FD2C1B7481EEE0655,SHA256=F5E43C1CEA84F41E750D34C2DCF1EA66677F110110B8402EBA23DC6AD6847B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:37.965{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=539C10A2588123CFD9F653AB431383D9,SHA256=E3D0AE5D9E3F57EFC25245B86CA0FC02F37B642539BEA1066B0413FE54B1541C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:37.899{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDCB5109F6D8DD93B7843F07A5F6C46F,SHA256=EAB0855329D414D3117085918FA32F572EA0E66C8B9D4736854C8EF69307CDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:38.980{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B9CB5BFDB30279C83BA0985D57C1FA82,SHA256=529ADA819929C317887C628D55D81B0CEAF2D4E863017500519D9E41A9282E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:38.933{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35FC8671947CCC9A32145E92823BAE4,SHA256=840BDCCB28BDD39EA41767384119BA1D86A0EBCA6ACDE24BC7FDA0E98F8AC700,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:39.963{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A300555EC13BC758A1F14E8BEE0AA0,SHA256=61840939E066435C184B44D6CE276D05ABBD9F9048C19B1A06DB18FDD7C39CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:39.500{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\aborted-session-pingMD5=6F38A9E759E9A1AB5702D7A765C1A1FC,SHA256=5D7BECDD3478ED24B8263241100C22A7A573FF572A1D6D1DDF92FE55A663425A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:37.130{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65081-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028603Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:39.144{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD54925F2FAD8B7C221CEF13EC3DAD67,SHA256=B5C0D490A5A28DBA3EC7F4A3436C5F3C34CB180B253A5A97264AD09E242E40F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:40.999{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C244B89D72D0A9D29A549D4C5B183888,SHA256=9C1C28A7FFE2D8838C67297BC22C17F913098440E85A138DE58F9B797A7B8CDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:40.363{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:40.363{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:40.047{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2E3EEE11A92CE5FC7385D87FE3BC3666,SHA256=7B7A53542FD268EFB524853CF806B93AED23772D59142F2AF80F61215F51A556,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028605Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:37.980{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028604Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:40.144{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3064FA3EC781A02F5DBB4C85ECA7B6A7,SHA256=C5A2D89F8BC9BAE82F6700B51F0CE90A98DD50BC8C7BC94F0E0677172B85D9A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028606Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:41.175{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9F63F2D79AE455F468F59CDD68FA6B,SHA256=20362F5B3E845284930491628F3B3D8340E16BB49DFE69D91F7DD6B3195F28C5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.894{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F4-60F5-A908-00000000E501}5940C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.079{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7B41C8FEAFD13B9B9666B923616B9FF7,SHA256=0DB9A0258FEC1A125875D60AEEC4880170692F28D68A0B746ABEFE4A0C6372B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028607Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:42.189{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F18C7E927EAD1781B20450AE80B2130,SHA256=9053BFD56B0B6B2AD3A97AC9CFBB8DFFC67E66D7B74E785D30E33EB743BA87C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:42.099{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DB3944DA73A339856990FA171CEEE7ED,SHA256=B400AD4C19ADAE5186F766826C01A57806F724F5884A7642CD78AE66BABB321B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:42.015{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27C67012A047AD011DB83B182D592F0,SHA256=8CF593562E5B7290E66302BC5B5AC391A490641E5FA95C5C14EE3E7039E62164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028608Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:43.407{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF91B0BC3F5686D56ABDF5187982087,SHA256=40167A13067257791626B4A82D4D882EBAC555F924FB5CE6D0AF7C6568D3F8A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.729{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000056860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.729{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.729{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF7bffa7.TMPMD5=94EEA79D9A0975F30553974C8581CE7A,SHA256=AFE916DCF97485612B2C6F9FD400B0B135E5F27E2BC7595DBB1C6A60195E967C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.296{43EB4363-37B8-60F5-3D00-00000000E501}3416C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65085-false169.254.169.254-80http 354300x800000000000000056857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.199{43EB4363-37B8-60F5-3D00-00000000E501}3416C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65084-false169.254.169.254-80http 354300x800000000000000056856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.150{43EB4363-37B8-60F5-3D00-00000000E501}3416C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65083-false169.254.169.254-80http 354300x800000000000000056855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:41.149{43EB4363-37B8-60F5-3D00-00000000E501}3416C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65082-false169.254.169.254-80http 23542300x800000000000000056854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.130{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CC0DC1F68FE4D0329CCB649C79FBB033,SHA256=1A39FF81F9DC2C3A72F8219197FC1071371F49383FDFEB7DCDACC15A66C43182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.045{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20FF565418819FB07270631DB076C55F,SHA256=9E094952AEB82096368CEBAC6108476331D11981767362C790F4B714EEEADE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028609Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:44.564{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A80964E02B21D5B438098D91E2B52B1,SHA256=F2E7F41F99F8BB296B749A8BCF50F9D4CA8073458E2FD7716018B2A5F40B74C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:44.692{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:44.692{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:44.144{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75AA3CC96BF54090EB2835457D3BADF8,SHA256=99278946B309D08A8A208B55702DA96F8C15504EF2A5A70291D0180ED4408F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:44.075{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF1E9A9992D197AD630CA78C6CA28AB,SHA256=A507A416C45DD4A9DF19EA95941EDDEC2260938A4DA62F5C88DBFEDA5BD21DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028611Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:45.798{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1348A32EFC211D0796170E5CC09A2EB1,SHA256=C84970FDB1443683E16D649F5DE331307F8F3B0103C42B26FF10BBB235807F8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:43.025{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65086-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:45.174{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=21E57F56416EE064721F374E6F2D7FD3,SHA256=5FAB88FB8B8A097A892FBE930EDFEE770384CC2736057C00712AF38F147DEF2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:45.143{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55FD-60F5-AE08-00000000E501}6676C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+521b0|C:\Program Files\Mozilla Firefox\xul.dll+29fa9ed|C:\Program Files\Mozilla Firefox\xul.dll+29fa4f7|C:\Program Files\Mozilla Firefox\xul.dll+da83b9|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+40208|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:45.094{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FEBB5DD3FA0B6BB4A567E74FAA5E96,SHA256=CCA5B3F4F22C75BAE25CB4322D68080A8C63E468B5A67242CF34FD19ABBD0F3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028610Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:43.931{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:46.210{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DDB6D832C20C89D4C012C1CC54F5927C,SHA256=8FF9A5712C5F28A6D2D63CC6E4C6AE5FAC4393535E2D2D05ABA8079AC66E01D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:46.111{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFA3F025DA3AFE7590CA80A2804077E,SHA256=137D5272801C7FE109B33AF9C6B400D3C96DDDE356EB545F1C960F2CE450710E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028612Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:47.032{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87B5B67D99E7C95872F348A2E4870CFC,SHA256=C5EA060F64C04D36E80DB6AB50A086DB4C4B9691B1DCC0DC7F53C26B379AE4D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:47.258{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B11F068AC467C088A5764FD521455D5A,SHA256=A39FC7D7D9936122EE988526745857C50762BAF78F4680B04D7F65CCD49BCC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:47.111{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862F9B67FD618F6338A624AA3AC3F9A0,SHA256=9D043630004BF82BF2A4FD91CC7CA429ECF12E11E589CAF27B8528A5C11A83EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028613Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:48.251{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCB62DF1197CE06AF8A53EA90F7485D,SHA256=FC877BCD00490F287967A1F7AF0C102E29E5B22729CB12D8F11E9A0E3F8EB21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:48.257{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=10FA9B0A2CA6FA3D01E9D0E980D08F46,SHA256=49209C4EE7519107088620A31C430E93B150929F7611BB9B3E541C239EF67DE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:48.141{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B17FC4F946E0166C6DB4749F550507C,SHA256=BEC7753B333D76234AA890AA422A807D03AF35CD49FCC90725F7F75F7C8F2D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028614Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:49.360{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54612E7D2BF667F498176C8BB31E350C,SHA256=35AA77E86A1C201AA9D095E9F0F13D228D286D667F70528FB44C29B2DC2CDC9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:48.074{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65087-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:49.294{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=60A6AFECE6B1EE80DF0437B99162A670,SHA256=723A81763BF583A2F364CC61C41AEB1CD647B6EB9F48FAF6F9F28AA4B67E54AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:49.172{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79FE3691C2A5B3A89965E7CF695EE8C,SHA256=B6DA696CDD2FF86AF892A9C8DD6AA6E071F480C7A9E814CACA40264B5E87C760,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028616Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:48.947{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028615Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:50.595{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1A57CA0C6F236BF39512DD21E0824F,SHA256=D83BE95922E35743703A437BC802833780E4CB2334F126D4426ED709E31FA6C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5766-60F5-0A09-00000000E501}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5766-60F5-0A09-00000000E501}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.639{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5766-60F5-0A09-00000000E501}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.642{43EB4363-5766-60F5-0A09-00000000E501}7700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.339{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B323DB0368CF07F05AE698A196F646C7,SHA256=8BED2B63D765AE16330BE986AEABF0391D1495B0FE5F26ECA1941D6087B1909E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:50.189{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828C6721B728B27209F62C23569992C8,SHA256=4E1EF2B4DAC1E727B9E436737D00D20258D9ECE7F3BB8CD327330C290E8B7A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028617Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:51.829{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42497CF5FC856C007C5C851A05608E4,SHA256=969985E625251195D3386D25806C4F4CD88446D75F919C85D00E14B2024CC71B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5767-60F5-0C09-00000000E501}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5767-60F5-0C09-00000000E501}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.931{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5767-60F5-0C09-00000000E501}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.932{43EB4363-5767-60F5-0C09-00000000E501}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.647{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=677ED0AF838D46294BB19BC9BD0FF91B,SHA256=A174A10E68B5FFFE5AAAA386391003AB189CE1AC67B11FAF87907E76564CFB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.647{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24A945558D48D5900377263E4EF12A5E,SHA256=B69FE9CD6399F618721EE32790425B9FB5AE57883F6C68CFCF90AEC4DB400D95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.477{43EB4363-5767-60F5-0B09-00000000E501}77287748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.354{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7F5AC51143CA8B1E9CC9904BE0EE6442,SHA256=8DAE33DB7FE79E6AB91B126DBB4DAEDF336BCE6AE3E515760670AD37D0CBB1F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5767-60F5-0B09-00000000E501}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5767-60F5-0B09-00000000E501}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.254{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5767-60F5-0B09-00000000E501}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.256{43EB4363-5767-60F5-0B09-00000000E501}7728C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:51.207{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD23F24C15FC353C3D12DA3FD58B8140,SHA256=EBE4E810EC7F22F80C80C1A266861BEAB43F4B427F3466C00FFC38FF8189D2D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028618Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:52.939{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7235E91AFEA7318805636453652A90B,SHA256=316982D6F1B88074C7602A05BBD20A7E65571A314B70E3475BC84560F9D1EC58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:52.946{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=677ED0AF838D46294BB19BC9BD0FF91B,SHA256=A174A10E68B5FFFE5AAAA386391003AB189CE1AC67B11FAF87907E76564CFB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:52.362{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C02EDFF2EDBC14AC5BB6E0BD5C1532BC,SHA256=64863CF515EB7B939E83877B26B5434D25E512F4933D0AA114B1A1D15130B9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:52.216{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116B53E2DE1F95BF66BCE9F6B083908C,SHA256=577665A5D960C0DE0599A8596F189038A4E2410EB38F2FCD55A80D22979E0308,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:53.461{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DAB16F453BDEF59F45159DF31045A418,SHA256=485CB178404C493AFB27F91902ECAC855107A9ABDFCC839CA3E9EA24476A4F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:53.230{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0CC9B26A0DEF36325B257B9B603893,SHA256=C90F5A4303E03DF98CA1C2136E7754722D049F4BF162A10674C6DF6511E83E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028619Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:54.189{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2F1700A8BA9561147E784D5B70187C,SHA256=746D9E861052439B408113BC7A6F177DCB2D3DFDA60851BEDC2783C9F9392ADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.927{43EB4363-576A-60F5-0E09-00000000E501}78647896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.759{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-576A-60F5-0E09-00000000E501}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-576A-60F5-0E09-00000000E501}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.743{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-576A-60F5-0E09-00000000E501}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.744{43EB4363-576A-60F5-0E09-00000000E501}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.712{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68AC3BB7F3CEF85F9EEB115D6BFF09C7,SHA256=FF25647054A86237F0BB6A763EDB560EAB31B377471A66784C03F7C71256EFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.544{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CE1DE1BE2D8470D2AA495C8701154B61,SHA256=E26D857F49EA3AD27C8E85A8CF78F3F207F8DDC0BA51460CCD102F22F30CF169,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.381{43EB4363-576A-60F5-0D09-00000000E501}52767848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000056926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.244{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4137018B5C4428487B010CFCD44F559,SHA256=B063AB9A62A9F0546EC78BEB9C2E3C3511E40CB49C867EB654D82F49ED309DAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-576A-60F5-0D09-00000000E501}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-576A-60F5-0D09-00000000E501}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.228{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-576A-60F5-0D09-00000000E501}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.229{43EB4363-576A-60F5-0D09-00000000E501}5276C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.160{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.160{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.160{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028635Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:54.103{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028634Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.689{53AF6CEB-576B-60F5-FB05-00000000E601}9521644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028633Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576B-60F5-FB05-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028632Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028631Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028630Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028629Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028628Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028627Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028626Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028625Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028624Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028623Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-576B-60F5-FB05-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028622Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.532{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576B-60F5-FB05-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028621Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.533{53AF6CEB-576B-60F5-FB05-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028620Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:55.345{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDB1C9E0326BF62DAADC958A058205E,SHA256=AB263949E1775E12A20DE6E1D6865D9801BCC4C5B0DA100113FB21C401B42E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:55.758{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B62CC8FC769A9EC8D21E01457BA99F37,SHA256=0BF1D6840554F4D0085207F66B5954C9651DA158F39D10915C9E49C06E9F7AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:55.558{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F88E7C80FCE83260325D1F336B08BD79,SHA256=3B14E2AAC2FCE812395BA45914E190A12AAD9137729063D5C7C1683954553F57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:53.594{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65088-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000056940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:53.593{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65088-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 23542300x800000000000000056939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:55.258{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D68CD19F05952FB00B86CE91E61749,SHA256=308280396CDAC8BD2CC3F39B8A81DE9470EF7523E5A6FEF1FFCA12C1591EC6B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028664Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576C-60F5-FD05-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028663Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028662Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028661Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028660Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028659Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028658Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028657Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028656Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028655Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028654Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-576C-60F5-FD05-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028653Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.876{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576C-60F5-FD05-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028652Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.877{53AF6CEB-576C-60F5-FD05-00000000E601}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028651Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.673{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422A4976F367121CD500E1BBD0DBD5C8,SHA256=EB432055217BE0C7D535D309ED6A627BBF2414DDF38F5AA137D0CC59708302E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.794{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-576C-60F5-1009-00000000E501}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-576C-60F5-1009-00000000E501}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.741{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-576C-60F5-1009-00000000E501}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.742{43EB4363-576C-60F5-1009-00000000E501}6708C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000056955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.557{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=89DD80096EB40546F4779C983DFB53A1,SHA256=1FCB914E189C473D3CF370FA111B8E6735C16477136B789C1B1506F766A43BD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000056954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.441{43EB4363-576C-60F5-0F09-00000000E501}13848092C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000056953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:54.030{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65089-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.279{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89DAB33FF5EB7A24945692EE266020D9,SHA256=C124624087EB674BCD02423FD0E03FA6703A7F423CE9144EFF623B65204D4509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028650Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.548{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B183BCC0E7BE75763EE55F3C46415F,SHA256=C30E979F336577E8A96ABEE94B612E2D56BF41E12FAC7A1A65C401563F87C21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028649Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.548{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7D39A466F38CF7B5798A8F320AAAC02,SHA256=B2E8EDDB86C3F4AD3D01713355862A20AE73AE00C262E4E6713A427AE6110843,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028648Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028647Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028646Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028645Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028644Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028643Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028642Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028641Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028640Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576C-60F5-FC05-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028639Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028638Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-576C-60F5-FC05-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028637Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.204{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576C-60F5-FC05-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028636Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:56.205{53AF6CEB-576C-60F5-FC05-00000000E601}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000056951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-576C-60F5-0F09-00000000E501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000056946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-576C-60F5-0F09-00000000E501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000056945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-576C-60F5-0F09-00000000E501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000056944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:56.242{43EB4363-576C-60F5-0F09-00000000E501}1384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028680Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.986{53AF6CEB-576D-60F5-FE05-00000000E601}1723468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028679Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.892{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9B183BCC0E7BE75763EE55F3C46415F,SHA256=C30E979F336577E8A96ABEE94B612E2D56BF41E12FAC7A1A65C401563F87C21F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028678Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576D-60F5-FE05-00000000E601}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028677Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028676Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028675Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028674Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028673Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028672Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028671Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028670Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-576D-60F5-FE05-00000000E601}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028669Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028668Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028667Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.814{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576D-60F5-FE05-00000000E601}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028666Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.815{53AF6CEB-576D-60F5-FE05-00000000E601}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028665Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:57.689{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46CE8F9F7283A40DDF22D1DCC1E9746,SHA256=174738A2BDA83AE91E49EB717BF046E35903523EEDACE697EC6EBC68078A2F26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.880{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=8F66E0C9D6D3E9AAD591DFCFC9A664DD,SHA256=462747596B27B0C7515DCD9A8AB966271A13C66D23D66616ECE74E09015C9A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.880{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=3D958BBA57E8A3EF208FB5BC8AE14C96,SHA256=EAB8538049D347BFB1616CA4EC0DDD1D852EA00AD8DF4D67C0FFCFAC7EB398EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.880{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=E0B9F91A72803325EB91ADCB93E92F74,SHA256=3991456CEA534733BF526F93ADE863A5041BD8A97FB5DCB784D11448CF7F8C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.879{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=A7DD20D14625E95D4CCA9AFFD0012F07,SHA256=1CA07C428E910F8A6C6BFF7E1EA66ED3666E28B5E7548CAEA91EED58C11037E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.877{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=99B7CEB4F43533359ED6460C4115F6BC,SHA256=9CC2859A62083DA3AB2EBA619D6FF864AF0CEA3EBA81F2C16705922732E4EFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.876{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=E5009320B373ED5F538993C4BA69F81B,SHA256=562E3C8DFB1CF97D34A3E7A9AA5C04EBF4AB67A99A2518F539581706BD0F2A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.628{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=893B42289352DA675F1A8F1F10264150,SHA256=2A8C408206637349DBA9732808E8390A86527E3674117749EC59FA0BEB6924C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.326{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCEADF41FBEE227AB39E7184D7B8CF4,SHA256=BD254B72BB12ABBC7A11383E1B624531F40E1DE88DEC46C3FE89D4DC6ADBFDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:57.257{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD3A8C4648FF3AF5782C109ED7B739A5,SHA256=22E6FCD5CC47920406B6AE84536D4E693ED381E6D379D4AACA88567320345502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028694Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576E-60F5-FF05-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028693Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028692Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028691Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028690Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028689Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028688Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028687Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028686Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028685Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028684Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-576E-60F5-FF05-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028683Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.985{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576E-60F5-FF05-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028682Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.986{53AF6CEB-576E-60F5-FF05-00000000E601}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028681Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:58.923{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAA980813008E74BCE94D29301CBA64,SHA256=37BE71E31E237344E95930488CDE4B7F47CFA4DF2BCAC22535FCAF616ED0E389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:58.780{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=67DDD3337546324F3CC761FEF68C54F1,SHA256=BB42398EA5C3602647FC81042B0F7AAD1AA81D7BFE1511C4F5683189745A4EEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:58.327{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F235A08B3C0B38265CDDFC43C20E274F,SHA256=B0EFDC9560CD19D4A8F7A33E00B9F0A2FF2A3165B6FD9D94B949233F2B6616FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:59.859{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6159CA2783EE0E91A65587A0A145134B,SHA256=3CD26367B1BE5DA4DAB4CB1A4C63CDC474535B457ADC6C45B898D0B65A02F3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:59.342{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7A93492860C34444F8443BA11F9241,SHA256=70D5027DE3AE04134F35D158444D8706F762FFB61E8F2D346746EAE104EEFD8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028709Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.829{53AF6CEB-576F-60F5-0006-00000000E601}27004040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028708Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-576F-60F5-0006-00000000E601}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028707Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028706Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028705Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028704Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028703Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028702Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028701Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028700Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028699Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028698Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-576F-60F5-0006-00000000E601}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028697Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.657{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-576F-60F5-0006-00000000E601}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028696Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.658{53AF6CEB-576F-60F5-0006-00000000E601}2700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028695Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.157{53AF6CEB-576E-60F5-FF05-00000000E601}33362580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028711Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:00.204{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0AAD3DD9BE8D8A5B893115852F12916,SHA256=C64DD1E1979924014835FBB6B428AA63AAA679FCCD11FB11D0849A2752B0B128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:00.878{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=13BC6AB461F99BDB7BC0F857A9423784,SHA256=1FDFDED087F3204D496CB0E784956BDCE0BBD94F58A912789B9E90EDA9AE583F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000056979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:43:59.128{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000056978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:00.370{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22449D03BF79D7814D5A7F75A9B0A593,SHA256=769CDE9A30B4A57DD305F00E03A579A32076EAEA90641412978926F78D510DC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028710Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:00.001{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CAF6FC065D7FAD511C0184B141F701A,SHA256=201848E9AB940E46AEB95362D84FF1E497504B946415BD32BD9A9B52F62A4F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:01.893{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=09955489255185AD8229976EC026A8EB,SHA256=AF39387BD981C48C6A0099DD91F727EC0D4F611D371BF531FFB840A18DB3E7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:01.393{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC9CDFAC5D4D111D815251995F330CC,SHA256=D9B8A7C04F93C7B7E562A313A01C3DD2EF6C9B7A6259B182194B575C7A89B6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028725Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE47B21D055968ADEABF39CB1CEBAEC,SHA256=F8F586899BE7BEA7563147197DDA040D05D32A63086E1ACA71400974D7E7CA17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028724Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5771-60F5-0106-00000000E601}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028723Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028722Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028721Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028720Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028719Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028718Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028717Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028716Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028715Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028714Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5771-60F5-0106-00000000E601}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028713Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5771-60F5-0106-00000000E601}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028712Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:01.439{53AF6CEB-5771-60F5-0106-00000000E601}1576C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028728Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:02.490{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A052BC1E620A0E045A4D85EEBE58AF6A,SHA256=35EA03CD70CDB1FB3E36E521B448E6AD0432EA786E38040959EC354F95CE0284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028727Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:02.458{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF091FD859D739D17822A68782CE2B3,SHA256=2FF2869B5B289699A65B9BC97988A7BA125B8256C30153AD3ABA61A508895612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:02.955{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A673726273CDEB3A8CB443CF58109020,SHA256=0D26ED2A735B4186BF94DE095AF119E2F4A4F7BB4F3DDD6223D0614D748CD8C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:02.424{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2567E28493EF032EA04EF84C6D676B0F,SHA256=7EDC483F45531CBA2F106FA525A253A468D81886E859D62D4C9F388F219914F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028726Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:43:59.994{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028729Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:03.693{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98889F6DB7EDCE9D5F6A90EF099DC57,SHA256=30AFF4678448D825FB0F98674EB192C79C82DEC502326B0E47F66BF6D076B36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.991{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF904461561DC7C92B.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.991{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF5D4B81298225E8F4.TMPMD5=98E9EC71D6A17A41EC02E5E32CAE4C7A,SHA256=69F7C2A9F637FF9B85C7FD2DBE1B65234C63E89AD102466E9587EA9A1EC74D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.991{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSICAC6.tmpMD5=C447593BC94FFE3393BA263A452FD61B,SHA256=4AEF26774A6D58BFC9A1DBFD0C8DC1A13A4F8A8DCC35F63CEF0C0D2D214CA651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.938{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=35209366D1503DA6DE4BBDA398891B02,SHA256=10AA48C9742C8B31A15E9B71AFF903897A8EDE6586AD9B5942FA3F6146D7BDA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CCA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_14.rslcMD5=78FC2616D762A72323B1763C00C58383,SHA256=53DE3AFE5202DFA41CA7115EF6C9960F0A0BDE47F9D80F2AD9B25E22A77C5EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CC9.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_12.rslcMD5=EB4F1502CEAB0BF3B61B187902B9D794,SHA256=FD36225F8C61F3BA7129A7ABA0BC73AA3712D7230A9027D6B8992A70331D6ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CC8.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.454{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_13.rslcMD5=290F9D5685ED26C271A73883938AB4BE,SHA256=4980B18902FDBE76860340ACDF04424D3752D28AC2936F1C2109078629F47764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CB7.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_11.rslcMD5=D96F7EA7433252C03B01DCF24EAD49DF,SHA256=D5F7DABF77B6B1A02C6D12305DD568593A13231CF2C287264813F3AB5330E04B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CB6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_10.rslcMD5=F1DA9FD3ACE2E51C19E8D04C531EF0F1,SHA256=A92021A5453B393D6A52E0ED1321EEFCEB9F167B5489766C52F9DEDC83AE5907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4668F8D99CFB8EA35620C492305CA7C1,SHA256=88EE9D470CD0751E147B339E8E1D1C4CA6BDBC168BCD83E3DA3250CB7BB3EF9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CB5.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_9.rslcMD5=9789ACAFA2E1CD4A36C302DF216F78DB,SHA256=F73403196E5B3601FA212CB783114E086BF2E9A4663C052D439ED75D4158BC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CB4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.438{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_6.rslcMD5=F06147BFCFF9DE987FE8827AFE4C1D39,SHA256=54D31BA0BD67235AA34EB1DCF18B863B3F74D1B6380C2D04660AAE2CDE35E663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CA4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_8.rslcMD5=66FA81BF84EB89921F0D1A733DF3F41B,SHA256=67C43D933D1689CD0E6AB17C07D8EA14B966B269048C20440FAEB14F861F85FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CA3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_7.rslcMD5=60A87774E3F8F882E78F5D1FF5CF5C64,SHA256=FF452B36FD530F7069528526493C141FB3E6EDEA6559DE2CEB4DBBDBA36D731B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CA2.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_5.rslcMD5=A9413B4737F03C8A01F3B845A089D509,SHA256=D752BC0C98F09F8D94E25DD0853FBEB26612108AE1FBFB95BBF399090348C015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4CA1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.423{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_4.rslcMD5=ECBE0ED9E6EC48ADB4D687413A827E32,SHA256=96FDAF61A684C7CD0051A08C04073B3D76178D34EFBDF64887FBB83D60F2D346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4C90.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_2.rslcMD5=A101693CB6A0CC5BCB1E673CEFFA04F9,SHA256=90313517953B8361EF60D2E4BF2C137DCD3649B2E717CB90D6048EE8455933A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4C8F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_3.rslcMD5=94C8E916AD6E6687A8C3A8B518D397F1,SHA256=CA803AECD559E93C5F871E2D8D427B6F522E2F6195D216C2C20CD7731D8CEA1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\4C8E.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000056985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.407{43EB4363-55C5-60F5-8A08-00000000E501}4852NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\AppRepository\b7c29660-88e8-45a9-ba01-77c7302ca045_S-1-5-21-4085236968-3260266398-3930693997-500_1.rslcMD5=66A4F769C8DA87F789D2F0E2A11F0E32,SHA256=A2EF12C1C39F56FDA6005F3142A53D0B991466B29454A1A840F116B99A91A125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028730Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:04.786{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF23D40C88A7986A0CB81105C1C257F,SHA256=27998DAF6C651D2651A826C615744D81D1B418BF10FB3634E57A3460CF58C56F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.990{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2809-00000000E501}7640c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.990{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2809-00000000E501}7640c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.965{43EB4363-5774-60F5-2909-00000000E501}76567964C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-2809-00000000E501}7640c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.955{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2909-00000000E501}7656C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.950{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2809-00000000E501}7640c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.949{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-2809-00000000E501}7640c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.944{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9D52DCB5268BA0E1B2DD715E32C6393C,SHA256=57A44A0EB262BAEBBAEDBB5ACADD621B52962EE016378360051D4EDA68E5983F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.938{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2609-00000000E501}5536c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.938{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2609-00000000E501}5536c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.906{43EB4363-5774-60F5-2709-00000000E501}72008184C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-2609-00000000E501}5536c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.897{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2709-00000000E501}7200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.886{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2609-00000000E501}5536c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.886{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-2609-00000000E501}5536c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.876{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2409-00000000E501}5896c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.875{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2409-00000000E501}5896c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.855{43EB4363-5774-60F5-2509-00000000E501}62368164C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-2409-00000000E501}5896c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.847{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2509-00000000E501}6236C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.843{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2409-00000000E501}5896c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.842{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-2409-00000000E501}5896c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.831{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2209-00000000E501}5752c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.831{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-2209-00000000E501}5752c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.808{43EB4363-5774-60F5-2309-00000000E501}62126060C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-2209-00000000E501}5752c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.795{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2309-00000000E501}6212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.788{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2209-00000000E501}5752c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.787{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-2209-00000000E501}5752c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.776{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1C09-00000000E501}7552c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.776{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1C09-00000000E501}7552c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.648{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE2967EB044D44E052147B25DABA0D8,SHA256=A5C894FCC7A89B9AD0D51FAA132EAA484D9541EE935C7042F73234BE192B6DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.645{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.615{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CA244E1A5BA730F36039E0CCEEE931C6,SHA256=2A1482115E5B3108432B7AD13B81B30FC008364ABEC61603062514AF9765C0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.613{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D66E976F86FFD1321D9351F22C9ED20E,SHA256=EFD9BFE9E3967E93AB8BF985BFF40212765DE2F0E42444B46B19731A1BDEE8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.612{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D025BFAEA81082EE1BCCE4D672FAECDC,SHA256=28EE3C21A48BB94F9F02BF94436F751E1E3E7A80F1BB22BCD62D516C3172FBFC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.569{43EB4363-5774-60F5-2109-00000000E501}72607104C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1E09-00000000E501}7584C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.569{43EB4363-5774-60F5-2009-00000000E501}67164680C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1F09-00000000E501}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.569{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2009-00000000E501}6716C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.569{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-2109-00000000E501}7260C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1F09-00000000E501}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-5774-60F5-1309-00000000E501}73203364C:\Windows\system32\taskhostw.exe{43EB4363-5774-60F5-1F09-00000000E501}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c01b0|UNKNOWN(00007FFD808215F2) 154100x800000000000000057070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.561{43EB4363-5774-60F5-1F09-00000000E501}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe4.8.4330.0 built by: NET48REL1LAST_BMicrosoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:708C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=D2DDF021EE6A8A649FB58F6DD05EDED7,SHA256=AC1B312B5D048DAC81327CF083BDEF2966AA883208455490E73D6E34C932B7D9,IMPHASH=00000000000000000000000000000000{43EB4363-5774-60F5-1309-00000000E501}7320C:\Windows\System32\taskhostw.exetaskhostw.exe /RuntimeWide 10341000x800000000000000057069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1E09-00000000E501}7584C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.553{43EB4363-5774-60F5-1309-00000000E501}73207568C:\Windows\system32\taskhostw.exe{43EB4363-5774-60F5-1E09-00000000E501}7584C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\c31d89f634fd312488d86639a1c94735\System.ni.dll+2c01b0|UNKNOWN(00007FFD808215F2) 154100x800000000000000057063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.558{43EB4363-5774-60F5-1E09-00000000E501}7584C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe4.8.4330.0 built by: NET48REL1LAST_BMicrosoft .NET Framework optimization serviceMicrosoft® .NET FrameworkMicrosoft CorporationNGenTask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe" /RuntimeWide /StopEvent:872C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=196F531423F864F990B24F3D3AFA9AA1,SHA256=353C8C617C87A56F93C9914E219BE4E30A45A0DEA8D98BF34C6BD81A6A287916,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{43EB4363-5774-60F5-1309-00000000E501}7320C:\Windows\System32\taskhostw.exetaskhostw.exe /RuntimeWide 10341000x800000000000000057062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.438{43EB4363-5774-60F5-1D09-00000000E501}45764080C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1C09-00000000E501}7552c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.406{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1D09-00000000E501}4576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.387{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1C09-00000000E501}7552c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.386{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1C09-00000000E501}7552c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.369{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1A09-00000000E501}7252c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.369{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1A09-00000000E501}7252c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.338{43EB4363-5774-60F5-1B09-00000000E501}72204568C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1A09-00000000E501}7252c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.338{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1B09-00000000E501}7220C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.322{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1A09-00000000E501}7252c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.322{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1A09-00000000E501}7252c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.306{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1809-00000000E501}7276c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.306{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1809-00000000E501}7276c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.291{43EB4363-5774-60F5-1909-00000000E501}75048172C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1809-00000000E501}7276c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.286{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1909-00000000E501}7504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.269{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1809-00000000E501}7276c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.269{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1809-00000000E501}7276c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.253{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1609-00000000E501}7492c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.253{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1609-00000000E501}7492c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.238{43EB4363-5774-60F5-1709-00000000E501}1292360C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1609-00000000E501}7492c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.222{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1709-00000000E501}1292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.222{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1609-00000000E501}7492c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.222{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1609-00000000E501}7492c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.191{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1409-00000000E501}7444c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.191{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1409-00000000E501}7444c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.154{43EB4363-5774-60F5-1509-00000000E501}74727496C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1409-00000000E501}7444c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1509-00000000E501}7472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1409-00000000E501}7444c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1409-00000000E501}7444c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.138{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.122{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.122{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.107{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1109-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.107{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5774-60F5-1109-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.053{43EB4363-5774-60F5-1209-00000000E501}72564612C:\Windows\system32\conhost.exe{43EB4363-5774-60F5-1109-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.038{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1209-00000000E501}7256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.038{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5774-60F5-1109-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.038{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5774-60F5-1109-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.022{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI4EE4.tmpMD5=FCCDC45CA17E5180B40EFC28052BAC39,SHA256=4AB37B0F9C5FE3505E1ECFE0764AAA04838CF81F9E0A402425E057F7A251E621,IMPHASH=620AD7AB8901854C91622E052544AEE7truetrue 23542300x800000000000000057019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.991{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF70C4C1BD24C69D4B.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:03.991{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF6E793D12DC3C7E23.TMPMD5=98E9EC71D6A17A41EC02E5E32CAE4C7A,SHA256=69F7C2A9F637FF9B85C7FD2DBE1B65234C63E89AD102466E9587EA9A1EC74D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028731Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:05.927{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA889215D12D2979EF4CC831153DC94F,SHA256=BD1730E60DD89B8E1ED02121D08CE0ADC5613215803447035DA67B6D99DC1BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.988{43EB4363-5775-60F5-5909-00000000E501}76847772C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-5809-00000000E501}616c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.988{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5909-00000000E501}7684C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000057262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.988{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9C8FFBCB6EBBC7B47BB33DCC97442B,SHA256=30224C69C8DADF52DC5F257BE08ED9A06EAFC3F2CF0478348663C6E0B40AC75E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.973{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5809-00000000E501}616c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.973{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-5809-00000000E501}616c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.973{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5609-00000000E501}7108c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.973{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5609-00000000E501}7108c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.957{43EB4363-5775-60F5-5709-00000000E501}76367176C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-5609-00000000E501}7108c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.941{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5709-00000000E501}7636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.941{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5609-00000000E501}7108c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.941{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-5609-00000000E501}7108c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.937{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5409-00000000E501}6428c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.937{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5409-00000000E501}6428c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.903{43EB4363-5775-60F5-5509-00000000E501}81005896C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-5409-00000000E501}6428c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.903{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5509-00000000E501}8100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.903{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5409-00000000E501}6428c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.903{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-5409-00000000E501}6428c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.888{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5209-00000000E501}5936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.888{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5209-00000000E501}5936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.872{43EB4363-5775-60F5-5309-00000000E501}68446060C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-5209-00000000E501}5936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.856{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5309-00000000E501}6844C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.856{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5209-00000000E501}5936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.856{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-5209-00000000E501}5936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.841{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5009-00000000E501}7128c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.841{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5009-00000000E501}7128c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.819{43EB4363-5775-60F5-5109-00000000E501}76204080C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-5009-00000000E501}7128c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.819{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5109-00000000E501}7620C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.803{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-5009-00000000E501}7128c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.803{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-5009-00000000E501}7128c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.803{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4E09-00000000E501}6952c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.803{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4E09-00000000E501}6952c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.788{43EB4363-5775-60F5-4F09-00000000E501}36603860C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4E09-00000000E501}6952c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.772{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4F09-00000000E501}3660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.772{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4E09-00000000E501}6952c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.772{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4E09-00000000E501}6952c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.756{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4C09-00000000E501}8180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.756{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4C09-00000000E501}8180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.741{43EB4363-5775-60F5-4D09-00000000E501}73247216C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4C09-00000000E501}8180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.741{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4D09-00000000E501}7324C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.719{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4C09-00000000E501}8180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.719{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4C09-00000000E501}8180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.719{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4A09-00000000E501}7480c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.719{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4A09-00000000E501}7480c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.703{43EB4363-5775-60F5-4B09-00000000E501}72127484C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4A09-00000000E501}7480c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.688{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4B09-00000000E501}7212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.688{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4A09-00000000E501}7480c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.688{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4A09-00000000E501}7480c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.672{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4809-00000000E501}7532c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.672{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4809-00000000E501}7532c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.657{43EB4363-5775-60F5-4909-00000000E501}75007540C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4809-00000000E501}7532c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.657{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4909-00000000E501}7500C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.641{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4809-00000000E501}7532c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.641{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4809-00000000E501}7532c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.641{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4609-00000000E501}7256c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.641{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4609-00000000E501}7256c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.619{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F2C6BA89A64A2A7197749276C7C2B6,SHA256=3369C16FE13E8504ACA7D541511E51C13049483D5BE7B30D32528AA3CDB311C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.619{43EB4363-5775-60F5-4709-00000000E501}74567304C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4609-00000000E501}7256c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.604{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4709-00000000E501}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.604{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4609-00000000E501}7256c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.604{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4609-00000000E501}7256c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.588{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4409-00000000E501}8104c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.588{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4409-00000000E501}8104c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.572{43EB4363-5775-60F5-4509-00000000E501}74085216C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4409-00000000E501}8104c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.572{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4509-00000000E501}7408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.557{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4409-00000000E501}8104c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.557{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4409-00000000E501}8104c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4209-00000000E501}104c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4209-00000000E501}104c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.539{43EB4363-5775-60F5-4309-00000000E501}45007300C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4209-00000000E501}104c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.519{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4309-00000000E501}4500C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.519{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4209-00000000E501}104c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.519{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4209-00000000E501}104c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.504{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4009-00000000E501}8076c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.504{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-4009-00000000E501}8076c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.504{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646367E37BE536AAAB1C5F9498418D70,SHA256=EE7EDD4AA62832089EEC1BC270769ADB64324EA1A6602EE51101A8A631EF1445,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.488{43EB4363-5775-60F5-4109-00000000E501}5041368C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-4009-00000000E501}8076c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.488{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4109-00000000E501}504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.472{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-4009-00000000E501}8076c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.472{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-4009-00000000E501}8076c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.472{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3E09-00000000E501}8072c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.472{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3E09-00000000E501}8072c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.457{43EB4363-5775-60F5-3F09-00000000E501}80368108C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3E09-00000000E501}8072c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.441{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3F09-00000000E501}8036C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.441{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3E09-00000000E501}8072c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.441{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3E09-00000000E501}8072c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.439{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3C09-00000000E501}5304c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.439{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3C09-00000000E501}5304c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.404{43EB4363-5775-60F5-3D09-00000000E501}80568016C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3C09-00000000E501}5304c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.404{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3D09-00000000E501}8056C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.404{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3C09-00000000E501}5304c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.404{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3C09-00000000E501}5304c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.388{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3A09-00000000E501}8004c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.388{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3A09-00000000E501}8004c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.373{43EB4363-5775-60F5-3B09-00000000E501}81887956C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3A09-00000000E501}8004c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.357{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3B09-00000000E501}8188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.357{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3A09-00000000E501}8004c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.357{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3A09-00000000E501}8004c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3709-00000000E501}8c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3709-00000000E501}8c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3909-00000000E501}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3909-00000000E501}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.320{43EB4363-5774-60F5-2109-00000000E501}72607104C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3909-00000000E501}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.320{43EB4363-5775-60F5-3809-00000000E501}78807976C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3709-00000000E501}8c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.320{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3909-00000000E501}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.320{43EB4363-5774-60F5-1E09-00000000E501}75847600C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{43EB4363-5775-60F5-3909-00000000E501}1384C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(0000000004444853)|UNKNOWN(0000000004444504)|UNKNOWN(0000000004442103)|UNKNOWN(0000000004440F66)|UNKNOWN(0000000004440950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1234a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1862b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+199457(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1bb98a(wow64) 10341000x800000000000000057159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.320{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3809-00000000E501}7880C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.304{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3709-00000000E501}8c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.304{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3709-00000000E501}8c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.304{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3509-00000000E501}7864c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.304{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3509-00000000E501}7864c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.273{43EB4363-5775-60F5-3609-00000000E501}78567948C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3509-00000000E501}7864c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.273{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3609-00000000E501}7856C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.273{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3509-00000000E501}7864c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.273{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3509-00000000E501}7864c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.257{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3309-00000000E501}7900c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.257{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3309-00000000E501}7900c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.241{43EB4363-5775-60F5-3409-00000000E501}78327952C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3309-00000000E501}7900c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.240{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3409-00000000E501}7832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.220{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3309-00000000E501}7900c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.220{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3309-00000000E501}7900c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.220{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3109-00000000E501}1156c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.220{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-3109-00000000E501}1156c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.204{43EB4363-5775-60F5-3209-00000000E501}78607844C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-3109-00000000E501}1156c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.188{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3209-00000000E501}7860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.188{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3109-00000000E501}1156c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.188{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-3109-00000000E501}1156c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.173{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2F09-00000000E501}7804c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.173{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2F09-00000000E501}7804c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.173{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C90DE30E1DBE5B3BD88946CA3A688466,SHA256=01B703297829A785F90353BB0A89E35E9E315DCAC3E8F46B50054C277AD4CE1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.157{43EB4363-5775-60F5-3009-00000000E501}7284900C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-2F09-00000000E501}7804c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.141{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-3009-00000000E501}7284C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.141{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2F09-00000000E501}7804c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.141{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-2F09-00000000E501}7804c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.132{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2D09-00000000E501}1304c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.131{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2D09-00000000E501}1304c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.110{43EB4363-5775-60F5-2E09-00000000E501}77287824C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-2D09-00000000E501}1304c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.101{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2E09-00000000E501}7728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.095{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2D09-00000000E501}1304c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.094{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-2D09-00000000E501}1304c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.069{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70B2A8464BF1604055AD8E147244BDCB,SHA256=ABDDA3E7667576D7556646DD98AE3C0AE6F28512EFBB62CA9BA6C754632A48D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.067{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE33924733B5E0E22E692630F5CE51F9,SHA256=2AD710AA05B535A89C62787A47B584B3D85B15C679F31AE80C99F641D78F9012,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.064{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2A09-00000000E501}7688c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.063{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2A09-00000000E501}7688c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.059{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2C09-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.059{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-2C09-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.042{43EB4363-5774-60F5-2009-00000000E501}67164680C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-2C09-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.039{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2C09-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.039{43EB4363-5774-60F5-1F09-00000000E501}61965588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{43EB4363-5775-60F5-2C09-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FFD80825A07) 10341000x800000000000000057116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.035{43EB4363-5775-60F5-2B09-00000000E501}76927700C:\Windows\system32\conhost.exe{43EB4363-5775-60F5-2A09-00000000E501}7688c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.027{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2B09-00000000E501}7692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.003{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5775-60F5-2A09-00000000E501}7688c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:05.003{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5775-60F5-2A09-00000000E501}7688c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.987{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7E09-00000000E501}5008c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.987{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7E09-00000000E501}5008c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.956{43EB4363-5776-60F5-7F09-00000000E501}32446952C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7E09-00000000E501}5008c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.956{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7F09-00000000E501}3244C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.940{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7E09-00000000E501}5008c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.940{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7E09-00000000E501}5008c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.919{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7C09-00000000E501}7220c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.919{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7C09-00000000E501}7220c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.903{43EB4363-5776-60F5-7D09-00000000E501}72528180C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7C09-00000000E501}7220c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.903{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7D09-00000000E501}7252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.888{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7C09-00000000E501}7220c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.888{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7C09-00000000E501}7220c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.888{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7A09-00000000E501}7504c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.888{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7A09-00000000E501}7504c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.856{43EB4363-5776-60F5-7B09-00000000E501}72767480C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7A09-00000000E501}7504c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.856{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7B09-00000000E501}7276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.856{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7A09-00000000E501}7504c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.856{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7A09-00000000E501}7504c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.841{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7809-00000000E501}1292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.841{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7809-00000000E501}1292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.819{43EB4363-5776-60F5-7909-00000000E501}74927532C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7809-00000000E501}1292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.803{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7909-00000000E501}7492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.803{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7809-00000000E501}1292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.803{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7809-00000000E501}1292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.772{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7609-00000000E501}7496c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.772{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7609-00000000E501}7496c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.703{43EB4363-5776-60F5-7709-00000000E501}67127256C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7609-00000000E501}7496c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.703{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7709-00000000E501}6712C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 354300x800000000000000057366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.533{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000057365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.688{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7609-00000000E501}7496c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.688{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7609-00000000E501}7496c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.688{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5F36C0753A9C48A722A7872FBCBB641,SHA256=6B07C7AA099569692ED1DFB692CE05FB6BE2680BCFFA905F16E4F0757D7A0133,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.672{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7409-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.672{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7409-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.641{43EB4363-5776-60F5-7509-00000000E501}81487408C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7409-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.641{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7509-00000000E501}8148C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.619{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7409-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.619{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7409-00000000E501}292c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.604{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7209-00000000E501}8084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.604{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7209-00000000E501}8084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.572{43EB4363-5776-60F5-7309-00000000E501}8112104C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7209-00000000E501}8084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.572{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7309-00000000E501}8112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.557{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7209-00000000E501}8084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.557{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7209-00000000E501}8084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7009-00000000E501}2612c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-7009-00000000E501}2612c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.540{43EB4363-5776-60F5-7109-00000000E501}80328076C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-7009-00000000E501}2612c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.519{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7109-00000000E501}8032C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.519{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-7009-00000000E501}2612c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.519{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-7009-00000000E501}2612c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.504{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6E09-00000000E501}7676c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.504{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6E09-00000000E501}7676c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.488{43EB4363-5776-60F5-6F09-00000000E501}65568036C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6E09-00000000E501}7676c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.488{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6F09-00000000E501}6556C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.472{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6E09-00000000E501}7676c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.472{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6E09-00000000E501}7676c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.472{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6C09-00000000E501}5224c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.472{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6C09-00000000E501}5224c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000057335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007c5875) 13241300x800000000000000057334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c82-0x9d7aa351) 13241300x800000000000000057333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8a-0xff3f0b51) 13241300x800000000000000057332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c93-0x61037351) 13241300x800000000000000057331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000057330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007c5875) 13241300x800000000000000057329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c82-0x9d75e6e0) 13241300x800000000000000057328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8a-0xff3a4ee0) 13241300x800000000000000057327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:06.457{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c93-0x60feb6e0) 10341000x800000000000000057326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.441{43EB4363-5776-60F5-6D09-00000000E501}80688056C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6C09-00000000E501}5224c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.439{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6D09-00000000E501}8068C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.419{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6C09-00000000E501}5224c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.419{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6C09-00000000E501}5224c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.404{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6A09-00000000E501}7992c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.404{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6A09-00000000E501}7992c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.373{43EB4363-5776-60F5-6B09-00000000E501}79728188C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6A09-00000000E501}7992c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.373{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6B09-00000000E501}7972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.357{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6A09-00000000E501}7992c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.357{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6A09-00000000E501}7992c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6809-00000000E501}1412c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.341{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6809-00000000E501}1412c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.338{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81D72ACD748199CCB16701A2FE00176,SHA256=CBB32FE45476ABDCE7E9B607C7D2922C13D6700721479FAB94D1CA8F51879F1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.320{43EB4363-5776-60F5-6909-00000000E501}80007880C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6809-00000000E501}1412c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.320{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6909-00000000E501}8000C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.304{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6809-00000000E501}1412c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.304{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6809-00000000E501}1412c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.304{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6609-00000000E501}7912c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.304{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6609-00000000E501}7912c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.273{43EB4363-5776-60F5-6709-00000000E501}78767144C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6609-00000000E501}7912c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.273{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6709-00000000E501}7876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.273{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6609-00000000E501}7912c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.273{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6609-00000000E501}7912c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.257{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6409-00000000E501}7916c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.257{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6409-00000000E501}7916c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.241{43EB4363-5776-60F5-6509-00000000E501}79007180C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6409-00000000E501}7916c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.220{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6509-00000000E501}7900C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.220{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6409-00000000E501}7916c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.220{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6409-00000000E501}7916c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.204{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6209-00000000E501}7836c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.204{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6209-00000000E501}7836c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.188{43EB4363-5776-60F5-6309-00000000E501}11567896C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6209-00000000E501}7836c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.188{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6309-00000000E501}1156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.173{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6209-00000000E501}7836c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.173{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6209-00000000E501}7836c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.173{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6009-00000000E501}7808c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.173{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-6009-00000000E501}7808c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.157{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70B2A8464BF1604055AD8E147244BDCB,SHA256=ABDDA3E7667576D7556646DD98AE3C0AE6F28512EFBB62CA9BA6C754632A48D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.141{43EB4363-5776-60F5-6109-00000000E501}78044904C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-6009-00000000E501}7808c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.141{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6109-00000000E501}7804C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.141{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-6009-00000000E501}7808c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.141{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-6009-00000000E501}7808c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.120{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5E09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.120{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5E09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.104{43EB4363-5776-60F5-5F09-00000000E501}1304224C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-5E09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.104{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5F09-00000000E501}1304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.104{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5E09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.104{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-5E09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.089{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5C09-00000000E501}7060c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.089{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5C09-00000000E501}7060c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.073{43EB4363-5776-60F5-5D09-00000000E501}76925624C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-5C09-00000000E501}7060c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.057{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5D09-00000000E501}7692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.057{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5C09-00000000E501}7060c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.057{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-5C09-00000000E501}7060c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.042{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5A09-00000000E501}7612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.042{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5776-60F5-5A09-00000000E501}7612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.038{43EB4363-5776-60F5-5B09-00000000E501}77966392C:\Windows\system32\conhost.exe{43EB4363-5776-60F5-5A09-00000000E501}7612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.019{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5B09-00000000E501}7796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.019{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5776-60F5-5A09-00000000E501}7612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.019{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5776-60F5-5A09-00000000E501}7612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.004{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5809-00000000E501}616c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:06.004{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5775-60F5-5809-00000000E501}616c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028733Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:06.013{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028732Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:07.146{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB4BF21BD8C4A2E0BB7364DD5E58821F,SHA256=AD3A0C2A9FBD5899DAB1A0749B66367EF75AB9E6ADA17892264646A304F963A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.972{43EB4363-5777-60F5-A109-00000000E501}13682612C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-A009-00000000E501}4192c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.956{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-A109-00000000E501}1368C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.956{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-A009-00000000E501}4192c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.956{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-A009-00000000E501}4192c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.940{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9E09-00000000E501}4344c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.940{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9E09-00000000E501}4344c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.919{43EB4363-5777-60F5-9F09-00000000E501}81167676C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9E09-00000000E501}4344c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.903{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9F09-00000000E501}8116C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.903{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9E09-00000000E501}4344c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.903{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9E09-00000000E501}4344c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.903{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B7C692D238A825BB38E38D28B66866,SHA256=D8405B3AAFE446AD45FE7A5A333A2DA6EB8A9944389E64D9B168844DD72BD716,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.887{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9C09-00000000E501}4516c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.887{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9C09-00000000E501}4516c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.872{43EB4363-5777-60F5-9D09-00000000E501}79965224C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9C09-00000000E501}4516c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.872{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9D09-00000000E501}7996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.856{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9C09-00000000E501}4516c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.856{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9C09-00000000E501}4516c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.856{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9A09-00000000E501}6900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.856{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9A09-00000000E501}6900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.837{43EB4363-5777-60F5-9B09-00000000E501}80647972C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9A09-00000000E501}6900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.819{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9B09-00000000E501}8064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.819{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9A09-00000000E501}6900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.819{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9A09-00000000E501}6900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.803{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9809-00000000E501}6852c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.803{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9809-00000000E501}6852c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.741{43EB4363-5777-60F5-9909-00000000E501}79808000C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9809-00000000E501}6852c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000057472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:04.985{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000057471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.719{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9909-00000000E501}7980C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.719{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9809-00000000E501}6852c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.719{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9809-00000000E501}6852c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.703{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9609-00000000E501}6708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.703{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9609-00000000E501}6708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.688{43EB4363-5777-60F5-9709-00000000E501}78567876C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9609-00000000E501}6708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.672{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9709-00000000E501}7856C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.672{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9609-00000000E501}6708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.672{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9609-00000000E501}6708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.657{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9409-00000000E501}6440c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.657{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9409-00000000E501}6440c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.638{43EB4363-5777-60F5-9509-00000000E501}77607916C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9409-00000000E501}6440c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.619{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9509-00000000E501}7760C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.619{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9409-00000000E501}6440c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.619{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9409-00000000E501}6440c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.604{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9209-00000000E501}6536c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.604{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9209-00000000E501}6536c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.572{43EB4363-5777-60F5-9309-00000000E501}72887836C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9209-00000000E501}6536c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.572{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9309-00000000E501}7288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.557{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9209-00000000E501}6536c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.557{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9209-00000000E501}6536c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9009-00000000E501}7908c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.557{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-9009-00000000E501}7908c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.519{43EB4363-5777-60F5-9109-00000000E501}52767808C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-9009-00000000E501}7908c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.503{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9109-00000000E501}5276C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.503{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-9009-00000000E501}7908c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.503{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-9009-00000000E501}7908c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.488{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8E09-00000000E501}6928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.488{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8E09-00000000E501}6928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.472{43EB4363-5777-60F5-8F09-00000000E501}7816224C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8E09-00000000E501}6928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.457{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8F09-00000000E501}7816C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.457{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8E09-00000000E501}6928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.457{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8E09-00000000E501}6928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.441{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8C09-00000000E501}7624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.441{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8C09-00000000E501}7624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.419{43EB4363-5777-60F5-8D09-00000000E501}43847692C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8C09-00000000E501}7624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.404{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8D09-00000000E501}4384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.404{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8C09-00000000E501}7624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.404{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8C09-00000000E501}7624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.388{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8A09-00000000E501}7708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.388{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8A09-00000000E501}7708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.357{43EB4363-5777-60F5-8B09-00000000E501}76527796C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8A09-00000000E501}7708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.341{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8B09-00000000E501}7652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.341{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8A09-00000000E501}7708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.341{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8A09-00000000E501}7708c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.319{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8809-00000000E501}7656c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.319{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8809-00000000E501}7656c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.303{43EB4363-5777-60F5-8909-00000000E501}73087684C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8809-00000000E501}7656c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.303{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E2B78654E2242E360A5AFBC6B5818F05,SHA256=C73F258D22FB9C026D31A55EB04E083ACDA002BD61DD0A9C63C946A838CEC070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.303{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6300AECC74312D9A75C8BBFCAE1631B8,SHA256=32A5FB0BFAFB40F1544322F89272C822A76C6FAD1B81AB6109C3DF5C246C7BFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.288{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8909-00000000E501}7308C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.288{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8809-00000000E501}7656c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.288{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8809-00000000E501}7656c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.272{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8609-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.272{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8609-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.241{43EB4363-5777-60F5-8709-00000000E501}78527924C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8609-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.238{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8709-00000000E501}7852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.219{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8609-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.219{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8609-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.219{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8409-00000000E501}4100c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.219{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8409-00000000E501}4100c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.172{43EB4363-5777-60F5-8509-00000000E501}81648100C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8409-00000000E501}4100c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.156{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8509-00000000E501}8164C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.141{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8409-00000000E501}4100c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.141{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8409-00000000E501}4100c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.137{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8209-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.137{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8209-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.087{43EB4363-5777-60F5-8309-00000000E501}62125936C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8209-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.087{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8309-00000000E501}6212C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.072{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8209-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.072{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8209-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.056{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8009-00000000E501}5724c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.056{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-8009-00000000E501}5724c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.003{43EB4363-5777-60F5-8109-00000000E501}45767128C:\Windows\system32\conhost.exe{43EB4363-5777-60F5-8009-00000000E501}5724c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.003{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8109-00000000E501}4576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.003{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5777-60F5-8009-00000000E501}5724c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.003{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5777-60F5-8009-00000000E501}5724c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000028734Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:08.208{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720C2B8F858B938EE06DD91D16A5C801,SHA256=1ABC9C54A6C9FB218826B75BDDBC2BFC8D43A8412E1DC9115207BDD73BEA1785,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.972{43EB4363-5778-60F5-C109-00000000E501}78287868C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-C009-00000000E501}7712c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.957{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-C109-00000000E501}7828C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.941{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-C009-00000000E501}7712c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.941{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-C009-00000000E501}7712c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.940{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BE09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.940{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BE09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.903{43EB4363-5778-60F5-BF09-00000000E501}77287904C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-BE09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.888{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BF09-00000000E501}7728C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.872{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BE09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.872{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-BE09-00000000E501}6936c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.857{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BC09-00000000E501}5624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.857{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BC09-00000000E501}5624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.819{43EB4363-5778-60F5-BD09-00000000E501}77004908C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-BC09-00000000E501}5624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.804{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BD09-00000000E501}7700C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.772{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BC09-00000000E501}5624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.772{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-BC09-00000000E501}5624c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.757{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BA09-00000000E501}6392c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.757{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-BA09-00000000E501}6392c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.705{43EB4363-5778-60F5-BB09-00000000E501}77847688C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-BA09-00000000E501}6392c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.688{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BB09-00000000E501}7784C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.672{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-BA09-00000000E501}6392c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.672{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-BA09-00000000E501}6392c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.672{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D98CCA3193B2EFE482B3D0D302C3DD5F,SHA256=B79EBA544FA33967DD8A0E9721D56705B23CD9C6C6366BD23892677341F4764D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.672{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B809-00000000E501}4944c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.672{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B809-00000000E501}4944c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.641{43EB4363-5778-60F5-B909-00000000E501}77727684C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-B809-00000000E501}4944c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.639{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B909-00000000E501}7772C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.618{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B809-00000000E501}4944c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.618{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-B809-00000000E501}4944c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.603{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DF7E71237C217E0B6C1BD2105F35674,SHA256=947021DFEF0DEA6839B248F6821BF30E858116805E39616E9D023E5EE287D98F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.603{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B609-00000000E501}4372c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.603{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B609-00000000E501}4372c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.556{43EB4363-5778-60F5-B709-00000000E501}76367272C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-B609-00000000E501}4372c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.540{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B709-00000000E501}7636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.540{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B609-00000000E501}4372c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.540{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-B609-00000000E501}4372c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.538{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B409-00000000E501}8184c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.538{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B409-00000000E501}8184c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.503{43EB4363-5778-60F5-B509-00000000E501}58968100C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-B409-00000000E501}8184c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.503{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B509-00000000E501}5896C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.487{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B409-00000000E501}8184c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.487{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-B409-00000000E501}8184c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.472{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B209-00000000E501}6064c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.472{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B209-00000000E501}6064c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.440{43EB4363-5778-60F5-B309-00000000E501}66527560C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-B209-00000000E501}6064c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.437{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B309-00000000E501}6652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.418{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B209-00000000E501}6064c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.418{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-B209-00000000E501}6064c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.418{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B009-00000000E501}4080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.418{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-B009-00000000E501}4080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.387{43EB4363-5778-60F5-B109-00000000E501}62004576C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-B009-00000000E501}4080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.371{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B109-00000000E501}6200C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.371{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-B009-00000000E501}4080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.371{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-B009-00000000E501}4080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.356{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AE09-00000000E501}3860c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.356{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AE09-00000000E501}3860c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.340{43EB4363-5778-60F5-AF09-00000000E501}69563244C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-AE09-00000000E501}3860c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.318{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AF09-00000000E501}6956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.318{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AE09-00000000E501}3860c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.318{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-AE09-00000000E501}3860c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.303{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AC09-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.303{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AC09-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.287{43EB4363-5778-60F5-AD09-00000000E501}75287220C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-AC09-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.271{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AD09-00000000E501}7528C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.271{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AC09-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.271{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-AC09-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.256{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.256{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-AA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.256{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A94B898B4CD6FCA712D3BF12805258B,SHA256=2E08E083FC4DAB81933B27B74C394A0306C98FD64B3F1E1E159145B1D4B09A25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.237{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ACE8A678912F05478911798BE8A8168,SHA256=95BC3EC8640BBE3BF53CD70E05DB4268FCD35FD979B4EE854E59AD97C0801242,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.237{43EB4363-5778-60F5-AB09-00000000E501}74847480C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-AA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.218{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AB09-00000000E501}7484C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.218{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-AA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.218{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-AA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.203{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A809-00000000E501}7248c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.203{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A809-00000000E501}7248c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.172{43EB4363-5778-60F5-A909-00000000E501}75401292C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-A809-00000000E501}7248c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.156{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A909-00000000E501}7540C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.140{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A809-00000000E501}7248c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.140{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-A809-00000000E501}7248c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.140{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.136{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.103{43EB4363-5778-60F5-A709-00000000E501}74567496C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-A609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.103{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A709-00000000E501}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.103{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.103{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-A609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.087{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.087{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.056{43EB4363-5778-60F5-A509-00000000E501}7472292C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-A409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.056{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A509-00000000E501}7472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.040{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.040{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-A409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.040{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.040{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-A209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.019{43EB4363-5778-60F5-A309-00000000E501}73008084C:\Windows\system32\conhost.exe{43EB4363-5778-60F5-A209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.003{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A309-00000000E501}7300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.003{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5778-60F5-A209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.003{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5778-60F5-A209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.987{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-A009-00000000E501}4192c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:07.987{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5777-60F5-A009-00000000E501}4192c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028735Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:09.443{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCEEF60098134D81C4E700DA5B7DB98,SHA256=ECD2F06D394EB0A31A96AB8876404482366C32E14F7712C1FDDF6FA82F563951,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.988{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-E009-00000000E501}5764c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.988{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-E009-00000000E501}5764c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.988{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.972{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DE09-00000000E501}6844c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.972{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DE09-00000000E501}6844c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.941{43EB4363-5779-60F5-DF09-00000000E501}57524080C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-DE09-00000000E501}6844c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.941{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DF09-00000000E501}5752C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.941{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DE09-00000000E501}6844c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.941{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-DE09-00000000E501}6844c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.919{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DC09-00000000E501}7528c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.919{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DC09-00000000E501}7528c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.903{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4804C69D704201C74BECB76BFF45C644,SHA256=209DED524F4AD541042C54B9B5EB9C5015BD872A524A5870091C3C1E0E2A488C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.887{43EB4363-5779-60F5-DD09-00000000E501}58763244C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-DC09-00000000E501}7528c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.872{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DD09-00000000E501}5876C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.857{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DC09-00000000E501}7528c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.857{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-DC09-00000000E501}7528c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.840{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.840{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-DA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.803{43EB4363-5779-60F5-DB09-00000000E501}74844568C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-DA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.788{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DB09-00000000E501}7484C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.772{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-DA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.772{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-DA09-00000000E501}7508c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.756{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D809-00000000E501}7232c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.756{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D809-00000000E501}7232c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.738{43EB4363-5779-60F5-D909-00000000E501}75048172C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-D809-00000000E501}7232c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.719{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D909-00000000E501}7504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.719{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D809-00000000E501}7232c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.703{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-D809-00000000E501}7232c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.703{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.703{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.672{43EB4363-5779-60F5-D709-00000000E501}74567524C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-D609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.656{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D709-00000000E501}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.656{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.656{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-D609-00000000E501}2436c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.641{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.641{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.603{43EB4363-5779-60F5-D509-00000000E501}74727256C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-D409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.603{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D509-00000000E501}7472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.588{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.588{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-D409-00000000E501}8144c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.588{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.588{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.556{43EB4363-5779-60F5-D309-00000000E501}73008168C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-D209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.541{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D309-00000000E501}7300C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.541{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.541{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-D209-00000000E501}7360c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.519{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D009-00000000E501}8080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.519{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-D009-00000000E501}8080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.488{43EB4363-5779-60F5-D109-00000000E501}2612104C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-D009-00000000E501}8080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.472{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D109-00000000E501}2612C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.472{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-D009-00000000E501}8080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.472{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-D009-00000000E501}8080c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.456{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CE09-00000000E501}4880c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.456{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CE09-00000000E501}4880c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.434{43EB4363-5779-60F5-CF09-00000000E501}7676504C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-CE09-00000000E501}4880c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.419{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CF09-00000000E501}7676C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.403{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CE09-00000000E501}4880c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.403{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-CE09-00000000E501}4880c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.387{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CC09-00000000E501}7984c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.387{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CC09-00000000E501}7984c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.356{43EB4363-5779-60F5-CD09-00000000E501}52248036C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-CC09-00000000E501}7984c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.356{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CD09-00000000E501}5224C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.340{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CC09-00000000E501}7984c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.340{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-CC09-00000000E501}7984c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.319{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CA09-00000000E501}7192c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.319{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-CA09-00000000E501}7192c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.303{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1328020307F7F553635CA42FD8660D1F,SHA256=E9577AF33539E636342D1CE2865D4A455FBF35AE218B977CCC01F020C2D64B04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.303{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623A29A3753FC9CB8E273053645BD013,SHA256=94E39A161BDA3B4F81984A76708C23C1F3A8AA324BAFBC70163DA0872174F085,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.287{43EB4363-5779-60F5-CB09-00000000E501}79728056C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-CA09-00000000E501}7192c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.272{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CB09-00000000E501}7972C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.272{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-CA09-00000000E501}7192c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.256{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-CA09-00000000E501}7192c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.256{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C809-00000000E501}7880c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.256{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C809-00000000E501}7880c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.219{43EB4363-5779-60F5-C909-00000000E501}87956C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-C809-00000000E501}7880c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.203{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C909-00000000E501}8C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.203{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C809-00000000E501}7880c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.203{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-C809-00000000E501}7880c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.187{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C609-00000000E501}6644c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.187{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C609-00000000E501}6644c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.156{43EB4363-5779-60F5-C709-00000000E501}79127740C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-C609-00000000E501}6644c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.141{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C709-00000000E501}7912C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.141{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C609-00000000E501}6644c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.141{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-C609-00000000E501}6644c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.138{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C409-00000000E501}7180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.138{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C409-00000000E501}7180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.103{43EB4363-5779-60F5-C509-00000000E501}64407760C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-C409-00000000E501}7180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.088{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C509-00000000E501}6440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.088{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C409-00000000E501}7180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.088{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-C409-00000000E501}7180c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.072{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C209-00000000E501}7872c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.072{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-C209-00000000E501}7872c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.019{43EB4363-5779-60F5-C309-00000000E501}72927628C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-C209-00000000E501}7872c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.019{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C309-00000000E501}7292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.003{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5779-60F5-C209-00000000E501}7872c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.003{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-5779-60F5-C209-00000000E501}7872c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.988{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-C009-00000000E501}7712c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:08.988{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5778-60F5-C009-00000000E501}7712c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028736Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:10.521{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8FFFEC23917FFF5FDD835FEFE79BB2,SHA256=874C3E91D6CC8FC3D6C2105C4C900192BA36ECBF16433E14F520665C78C6FF26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.987{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-040A-00000000E501}7500c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.987{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-040A-00000000E501}7500c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.955{43EB4363-577A-60F5-050A-00000000E501}74927456C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-040A-00000000E501}7500c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.955{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-050A-00000000E501}7492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.940{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-040A-00000000E501}7500c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.940{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-040A-00000000E501}7500c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.939{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-020A-00000000E501}6712c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.939{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-020A-00000000E501}6712c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.918{43EB4363-577A-60F5-030A-00000000E501}73047544C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-020A-00000000E501}6712c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.902{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-030A-00000000E501}7304C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.902{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-020A-00000000E501}6712c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.902{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-020A-00000000E501}6712c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.887{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-000A-00000000E501}3800c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.887{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-000A-00000000E501}3800c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.856{43EB4363-577A-60F5-010A-00000000E501}80847460C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-000A-00000000E501}3800c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.856{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-010A-00000000E501}8084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.840{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-000A-00000000E501}3800c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.840{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-000A-00000000E501}3800c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.840{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FE09-00000000E501}4612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.840{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FE09-00000000E501}4612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000057800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.646{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65095-false13.32.25.69server-13-32-25-69.fra56.r.cloudfront.net443https 354300x800000000000000057799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.629{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local55937- 354300x800000000000000057798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.448{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65094-false34.98.75.3636.75.98.34.bc.googleusercontent.com443https 354300x800000000000000057797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.427{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65093-false143.204.205.12server-143-204-205-12.fra53.r.cloudfront.net443https 354300x800000000000000057796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.426{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local56006- 354300x800000000000000057795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.424{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-876.attackrange.local59175-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000057794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.424{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local51453- 10341000x800000000000000057793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.818{43EB4363-577A-60F5-FF09-00000000E501}41927408C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-FE09-00000000E501}4612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.803{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FF09-00000000E501}4192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.803{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FE09-00000000E501}4612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.803{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-FE09-00000000E501}4612c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.787{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FC09-00000000E501}8032c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.787{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FC09-00000000E501}8032c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.771{43EB4363-577A-60F5-FD09-00000000E501}43444500C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-FC09-00000000E501}8032c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.756{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FD09-00000000E501}4344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.756{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FC09-00000000E501}8032c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.756{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-FC09-00000000E501}8032c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.740{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FA09-00000000E501}852c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.740{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-FA09-00000000E501}852c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.718{43EB4363-577A-60F5-FB09-00000000E501}45163504C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-FA09-00000000E501}852c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.718{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FB09-00000000E501}4516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.703{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-FA09-00000000E501}852c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.703{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-FA09-00000000E501}852c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.703{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591E333CB138A63485F3AB7A78F1DE0F,SHA256=3597486295578DD4341111EBCC67568C33D9230243CC74D68354D7F3A88E2BAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.703{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.703{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A4BE2F50F07CE25D1E7D7F15AAB3884,SHA256=0B750F007213CB5B860FAAF3E0E3A186FCEE50BD0661D0D6E00C9A541A32AFD6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.687{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F809-00000000E501}8040c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.687{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F809-00000000E501}8040c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.671{43EB4363-577A-60F5-F909-00000000E501}71927972C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-F809-00000000E501}8040c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.656{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F909-00000000E501}7192C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.656{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F809-00000000E501}8040c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.656{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-F809-00000000E501}8040c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.640{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F609-00000000E501}7980c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.640{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F609-00000000E501}7980c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.618{43EB4363-577A-60F5-F709-00000000E501}68528188C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-F609-00000000E501}7980c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.618{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F709-00000000E501}6852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.603{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F609-00000000E501}7980c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.603{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-F609-00000000E501}7980c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.587{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F409-00000000E501}7856c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.587{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F409-00000000E501}7856c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.572{43EB4363-577A-60F5-F509-00000000E501}67085912C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-F409-00000000E501}7856c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.556{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F509-00000000E501}6708C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.556{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F409-00000000E501}7856c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.556{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-F409-00000000E501}7856c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.540{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F209-00000000E501}7892c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.540{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F209-00000000E501}7892c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.519{43EB4363-577A-60F5-F309-00000000E501}77563664C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-F209-00000000E501}7892c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.503{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B485C9E62222F91ACE4F7E1868ECA74,SHA256=2595D9ADFF0CAD34929263CD8A20F2F3E31FBF3AA5B1464D79A58EA54CA53E26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.503{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F309-00000000E501}7756C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000057751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.503{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60A7199738BDFDD078D2E9788D2C6239,SHA256=C4BC062EF71D6135270C2500A6D58CAF39A1EAD0D66238FAA019B93D17EF7694,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.487{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F209-00000000E501}7892c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.487{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-F209-00000000E501}7892c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.487{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F009-00000000E501}7836c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.487{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-F009-00000000E501}7836c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.456{43EB4363-577A-60F5-F109-00000000E501}78607884C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-F009-00000000E501}7836c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.456{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F109-00000000E501}7860C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.440{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-F009-00000000E501}7836c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.440{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-F009-00000000E501}7836c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.440{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EE09-00000000E501}7808c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.439{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EE09-00000000E501}7808c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.419{43EB4363-577A-60F5-EF09-00000000E501}72847900C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-EE09-00000000E501}7808c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.403{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-EF09-00000000E501}7284C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.403{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-EE09-00000000E501}7808c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.403{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-EE09-00000000E501}7808c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.387{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EC09-00000000E501}7816c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.387{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EC09-00000000E501}7816c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.356{43EB4363-577A-60F5-ED09-00000000E501}69287896C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-EC09-00000000E501}7816c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.356{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-ED09-00000000E501}6928C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.340{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-EC09-00000000E501}7816c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.340{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-EC09-00000000E501}7816c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.339{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EA09-00000000E501}900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.339{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-EA09-00000000E501}900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.303{43EB4363-577A-60F5-EB09-00000000E501}43844908C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-EA09-00000000E501}900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.303{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-EB09-00000000E501}4384C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.287{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-EA09-00000000E501}900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.287{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-EA09-00000000E501}900c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.272{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E809-00000000E501}8132c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.272{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E809-00000000E501}8132c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.241{43EB4363-577A-60F5-E909-00000000E501}76526392C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-E809-00000000E501}8132c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.241{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E909-00000000E501}7652C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.237{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E809-00000000E501}8132c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.237{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-E809-00000000E501}8132c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.219{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E609-00000000E501}7928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.219{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E609-00000000E501}7928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.203{43EB4363-577A-60F5-E709-00000000E501}77247764C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-E609-00000000E501}7928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.188{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E709-00000000E501}7724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.172{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E609-00000000E501}7928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.172{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-E609-00000000E501}7928c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.172{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E409-00000000E501}7648c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.172{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E409-00000000E501}7648c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.141{43EB4363-577A-60F5-E509-00000000E501}79247272C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-E409-00000000E501}7648c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.119{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E509-00000000E501}7924C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.119{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E409-00000000E501}7648c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.119{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-E409-00000000E501}7648c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.103{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E209-00000000E501}4100c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.103{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-E209-00000000E501}4100c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.072{43EB4363-577A-60F5-E309-00000000E501}80447200C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-E209-00000000E501}4100c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.072{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E309-00000000E501}8044C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.056{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E209-00000000E501}4100c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.056{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-E209-00000000E501}4100c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.041{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-E009-00000000E501}5764c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.041{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5779-60F5-E009-00000000E501}5764c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.019{43EB4363-577A-60F5-E109-00000000E501}59366428C:\Windows\system32\conhost.exe{43EB4363-5779-60F5-E009-00000000E501}5764c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.003{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-E109-00000000E501}5936C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 354300x800000000000000057876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.091{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000057875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.810{43EB4363-577B-60F5-170A-00000000E501}76128132C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-160A-00000000E501}7784c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.809{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-170A-00000000E501}7612C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.804{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-160A-00000000E501}7784c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.804{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-160A-00000000E501}7784c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000057871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.793{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F08CFC4C96504F0D48BF840C123AC68,SHA256=E19E8BA9DB6C12E8EB25B97244E2A9D78563E25C7E3CC76D64507056E58BE6E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.470{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-140A-00000000E501}7308c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.470{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-140A-00000000E501}7308c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.455{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=572CD94E0A6319328DD6A40DE1460F66,SHA256=840B3B1C94D4C8E683C2DA64D6306CE939D8CD9A47F8E180A60FB0CEB77405D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.338{43EB4363-577B-60F5-150A-00000000E501}76847820C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-140A-00000000E501}7308c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.318{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-150A-00000000E501}7684C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.318{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-140A-00000000E501}7308c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.318{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-140A-00000000E501}7308c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.302{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-120A-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.302{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-120A-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.286{43EB4363-577B-60F5-130A-00000000E501}6166680C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-120A-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.271{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-130A-00000000E501}616C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.271{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-120A-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.271{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-120A-00000000E501}8140c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.255{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-100A-00000000E501}7244c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.255{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-100A-00000000E501}7244c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.239{43EB4363-577B-60F5-110A-00000000E501}78526236C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-100A-00000000E501}7244c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.237{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-110A-00000000E501}7852C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.218{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-100A-00000000E501}7244c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.218{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-100A-00000000E501}7244c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.218{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0E0A-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.218{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0E0A-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.186{43EB4363-577B-60F5-0F0A-00000000E501}71086652C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-0E0A-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.186{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0F0A-00000000E501}7108C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.171{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0E0A-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.171{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-0E0A-00000000E501}2972c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.171{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0C0A-00000000E501}4576c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.171{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0C0A-00000000E501}4576c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.139{43EB4363-577B-60F5-0D0A-00000000E501}66326624C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-0C0A-00000000E501}4576c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.139{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0D0A-00000000E501}6632C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.136{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0C0A-00000000E501}4576c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.135{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-0C0A-00000000E501}4576c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.118{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0A0A-00000000E501}6060c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.118{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-0A0A-00000000E501}6060c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.102{43EB4363-577B-60F5-0B0A-00000000E501}69567528C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-0A0A-00000000E501}6060c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.087{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0B0A-00000000E501}6956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.087{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-0A0A-00000000E501}6060c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.087{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-0A0A-00000000E501}6060c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000057833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.071{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-080A-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.071{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-080A-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.071{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1238D76F060E517F81D9E09F4E4ABC79,SHA256=EB4491EF5CFDB945DCE1AD426BBF4765EC05E8126406028BC0F08ADEB9DBCF51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.055{43EB4363-577B-60F5-090A-00000000E501}57407484C:\Windows\system32\conhost.exe{43EB4363-577B-60F5-080A-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.040{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-090A-00000000E501}5740C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.040{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-080A-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.040{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577B-60F5-080A-00000000E501}7216c:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000028737Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:11.739{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C95CB08EA60FF59580BB8CA33FF16EFD,SHA256=C453A7CE625D1308CD54B1917ABDC09A4A68567AD7BCB853CAECB90A7FA64A8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.018{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-060A-00000000E501}5084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.018{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-577A-60F5-060A-00000000E501}5084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.002{43EB4363-577B-60F5-070A-00000000E501}72327504C:\Windows\system32\conhost.exe{43EB4363-577A-60F5-060A-00000000E501}5084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.002{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577B-60F5-070A-00000000E501}7232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.987{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-577A-60F5-060A-00000000E501}5084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.987{43EB4363-56CE-60F5-F708-00000000E501}75728128c:\Windows\syswow64\MsiExec.exe{43EB4363-577A-60F5-060A-00000000E501}5084c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+4f2c(wow64)|C:\Windows\Installer\MSI4EF4.tmp+122f(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000028738Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:12.974{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C93BE3052B79E7F52286BD96594DA0,SHA256=B69FC2A234C09920C02C5C3925FE07076A1832263CB38B2658FB4254910421E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.987{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-577C-60F5-180A-00000000E501}7864c:\Windows\System32\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577C-60F5-180A-00000000E501}7864c:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.971{43EB4363-56CD-60F5-F608-00000000E501}75482112C:\Windows\system32\msiexec.exe{43EB4363-577C-60F5-180A-00000000E501}7864c:\Windows\System32\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba6f5|C:\Windows\system32\Msi.dll+16c8f4|C:\Windows\system32\Msi.dll+16cf6c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.977{43EB4363-577C-60F5-180A-00000000E501}7864C:\Windows\System32\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\Windows\System32\MsiExec.exe -Embedding 30808903E370CCBE1753D730B2F3ABEC E Global\MSI0000C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=F10B3635225BE24A677CB3BB71824D07,SHA256=B5D755B0B561AA8FDAFF156E3715A333179B14C171EFB53392D4D806D14CF9C9,IMPHASH=18A9F87944C357EB02511FDF4A18E19B{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 23542300x800000000000000057925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.940{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI71D0.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.936{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D67C6B6C6CF49D1EF21D973AF306B90,SHA256=B04A45B5FF05FEDABF90EE212F3BE7AD59D8549E8184529AB5BE7D87E4E6EB68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:10.590{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local51228- 23542300x800000000000000057922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.838{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53A130723379BBB0C68239F3EE511A82,SHA256=9A8BDE5802BD3A7D73BC7B7B6CB7EB59A21B4E2F7B0326795C66C3B43D014001,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.718{43EB4363-56CD-60F5-F608-00000000E501}75487728C:\Windows\system32\msiexec.exe{43EB4363-56C9-60F5-D908-00000000E501}7732C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19e41d|C:\Windows\system32\Msi.dll+2eaae|C:\Windows\system32\Msi.dll+47505|C:\Windows\system32\Msi.dll+10a8c5|C:\Windows\system32\Msi.dll+109ae6|C:\Windows\system32\Msi.dll+f407f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.603{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c62a.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.603{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6EACE38CC8BE29AC22BAEF21F301B1EF,SHA256=B96DBB438458A7A1F2B6268F06A8EDE6B60226BAB431112C0D1B663D3FEA922E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.572{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=627ACF088B2C35DC379F3B1E837955BE,SHA256=04E6C468DCA0883CE04F031B760FD12F39752F1B87CF9AD3B48CB7CABD212E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=CEFD480AB62A239E4B7E880F2EEAFAA9,SHA256=72AE17727A0DD703799168ED82AD603AE9EC25E9A99A7DC5825E15B3D1E453EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF722970905C2DFFF6.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF97233BEED58598DD.TMPMD5=CEFD480AB62A239E4B7E880F2EEAFAA9,SHA256=72AE17727A0DD703799168ED82AD603AE9EC25E9A99A7DC5825E15B3D1E453EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.572{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF4F71FC765D38BE9A.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF6A8CF91ED6D8568A.TMPMD5=CEFD480AB62A239E4B7E880F2EEAFAA9,SHA256=72AE17727A0DD703799168ED82AD603AE9EC25E9A99A7DC5825E15B3D1E453EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c626.msiMD5=E20FBF0B3B3A743FF322CF09889E384F,SHA256=58B06E326B3EE4D5ABD578EAC08CDA92CE97F21AA7CE6CC77EA20CAF8B9777EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD11917BC9AB48296.TMPMD5=FB3CE4A840D07714C74EDA2DE1DAFEB0,SHA256=288A5544930EDA929D24547F8A1A731A379F71583E6BE0DA9B983DE9BFA147CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.556{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF787A0D82E964230D.TMPMD5=06F56E37CED4F9372FE1A8039948EABD,SHA256=25FFCC59B999E07EC2A50658DC47F648268B5032BFCD85EBD37E05D4B356B1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.556{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2FD322DD5CB90CC47461E442A404E8EF,SHA256=D14BED37CF62F2445A9CDBBD16AE04BCF98256E307ED2E5D36DFABC9DA445257,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000057908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:09.634{43EB4363-55F0-60F5-A708-00000000E501}6340d2nxq2uap88usk.cloudfront.net02600:9000:2156:600:a:da5e:7900:93a1;2600:9000:2156:4400:a:da5e:7900:93a1;2600:9000:2156:5000:a:da5e:7900:93a1;2600:9000:2156:9a00:a:da5e:7900:93a1;2600:9000:2156:7000:a:da5e:7900:93a1;2600:9000:2156:f200:a:da5e:7900:93a1;2600:9000:2156:2200:a:da5e:7900:93a1;2600:9000:2156:1e00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000057907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.540{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c628.rbsMD5=507336B8EC33F0B06B0B1BC09F6153B0,SHA256=C5BC243BA4641D553B47AB0002A040F5FB6700ACFCAAECC90FF6130A87CEE8E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.540{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF7A6D14A5B0D964AF.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.540{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF28F77569EA3C37EA.TMPMD5=6C47DCB07AA8638E227EA5BD9463D68D,SHA256=BD021F999121FEDF46600CCB1AD8468A4BA14FA6A8D8B92E7A10A49A1B19E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.540{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFFB2717A00B2D9BAB.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.540{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF08019A4DE86EB4B4.TMPMD5=6C47DCB07AA8638E227EA5BD9463D68D,SHA256=BD021F999121FEDF46600CCB1AD8468A4BA14FA6A8D8B92E7A10A49A1B19E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.537{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI6FFB.tmpMD5=6275DC31CD402071BE7B55ADD3DE1C23,SHA256=1AA058F49A4CD780750FA23486E7AA9513C231D65CCFCBF7E6475EF8E793D14F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000057901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:12.518{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\URLUpdateInfo(Empty) 13241300x800000000000000057900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:12.518{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\PublisherMicrosoft Corporation 13241300x800000000000000057899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:12.518{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}\InstallSourcec:\program files\microsoft office\root\integration\ 23542300x800000000000000057898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.503{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c628.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.503{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFBEDFAE4F898F4275.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.503{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF81666B1FE8F56580.TMPMD5=6C47DCB07AA8638E227EA5BD9463D68D,SHA256=BD021F999121FEDF46600CCB1AD8468A4BA14FA6A8D8B92E7A10A49A1B19E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.472{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI6FFB.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.419{43EB4363-56CD-60F5-F608-00000000E501}75487812C:\Windows\system32\msiexec.exe{43EB4363-56C9-60F5-D908-00000000E501}7732C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19e41d|C:\Windows\system32\Msi.dll+2eaae|C:\Windows\system32\Msi.dll+47505|C:\Windows\system32\Msi.dll+10a8c5|C:\Windows\system32\Msi.dll+109ae6|C:\Windows\system32\Msi.dll+f407f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.419{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c626.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.419{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=96208B6D1B2E1DEA78EFBD5FDF936728,SHA256=AF41BF2116F7C64B9A36697FE79047645F339E87F6AC96D039EC5DB08EC881D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.403{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A3409A0921C157E6F6E21B5BD65F79FC,SHA256=9CB6EBD83A338CB2569BA3C0D1E8D420A62B2D9FB43A2E8B8B555BA2D5D30B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.403{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=F85A554CAB54CF9844C088F1834BE712,SHA256=CEC12574499DCA58E1B87BB61C098597E39429D8FA5135F35F720718D287B500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.403{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD9DDF561CEF455AF.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.403{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFE15E05D6017ABF60.TMPMD5=F85A554CAB54CF9844C088F1834BE712,SHA256=CEC12574499DCA58E1B87BB61C098597E39429D8FA5135F35F720718D287B500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.387{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF02401A2BE8218C2B.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.387{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD6A71A656FAE9662.TMPMD5=F85A554CAB54CF9844C088F1834BE712,SHA256=CEC12574499DCA58E1B87BB61C098597E39429D8FA5135F35F720718D287B500,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.387{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c622.msiMD5=48C6BB846D0E859DC7795CFB7E7B387D,SHA256=C689BD3ADAFE767C6C61C56DA5D6F8FA0971EC0DF8BD7A669655C12DBBA5B19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.287{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A3409A0921C157E6F6E21B5BD65F79FC,SHA256=9CB6EBD83A338CB2569BA3C0D1E8D420A62B2D9FB43A2E8B8B555BA2D5D30B54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.287{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B796FF0704B3667FC12BC760D6BB462A,SHA256=E058A33C1C87AB31298C03084AC1B8BA6757F51AB01D85E11AFEE4F3BF10BE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.272{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF78BDC4C75F6FC805.TMPMD5=BCFEFC84A7086A479D3CBC40E90A7D1C,SHA256=EB61068F4C40251BE2BE5E00F965EA30F951174BA454FF3EF2B88D684467091B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.272{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFF86AD75788D93DCE.TMPMD5=9A892E92C03F738E02419A424F58A3B3,SHA256=D63F498BB967731C511BB05504E4123C7AF44A722630461532759FBBAFB3E989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.272{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c624.rbsMD5=80183A9BB8E65A87AA29796295631957,SHA256=3FBF83426E114A7E18510C7F15DFE7578A185A01405BF8F86F32A06C1F6DD14B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.239{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI4EF4.tmpMD5=FCCDC45CA17E5180B40EFC28052BAC39,SHA256=4AB37B0F9C5FE3505E1ECFE0764AAA04838CF81F9E0A402425E057F7A251E621,IMPHASH=620AD7AB8901854C91622E052544AEE7truetrue 10341000x800000000000000057878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.925{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-160A-00000000E501}7784c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:11.925{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-577B-60F5-160A-00000000E501}7784c:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028739Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:11.919{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000057967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.744{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0797713338DC66DE75680C31B1091F6F,SHA256=964601A9CCEE258D302C4EEA641EF5AAB6045014B349ADEBBABE2E18659BB86E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.744{43EB4363-37A4-60F5-0A00-00000000E501}6082808C:\Windows\system32\services.exe{43EB4363-577D-60F5-190A-00000000E501}7884C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.744{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-577D-60F5-190A-00000000E501}7884C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.690{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-577D-60F5-190A-00000000E501}7884C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.690{43EB4363-37A4-60F5-0A00-00000000E501}6081020C:\Windows\system32\services.exe{43EB4363-577D-60F5-190A-00000000E501}7884C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.621{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.621{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.621{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:13.590{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\URLUpdateInfo(Empty) 13241300x800000000000000057958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:13.590{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\PublisherMicrosoft Corporation 13241300x800000000000000057957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:13.590{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}\InstallSourcec:\program files\microsoft office\root\integration\ 11241100x800000000000000057956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.343{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\vcruntime140.dll2021-07-19 10:44:13.343 11241100x800000000000000057955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.321{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\vccorlib140.dll2021-07-19 10:44:13.321 11241100x800000000000000057954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.306{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pkeyconfig.companion.dll2021-07-19 10:44:13.306 11241100x800000000000000057953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.259{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll2021-07-19 10:44:13.259 254200x800000000000000057952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:44:13.259{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE2002-02-01 19:02:02.0002021-07-19 10:44:13.205 11241100x800000000000000057951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:44:13.205{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE2021-07-19 10:44:13.205 11241100x800000000000000057950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.205{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Microsoft Office\Office16\OSPP.VBS2021-07-19 10:44:13.205 11241100x800000000000000057949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.191{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140_codecvt_ids.dll2021-07-19 10:44:13.191 11241100x800000000000000057948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.174{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140_2.dll2021-07-19 10:44:13.174 11241100x800000000000000057947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.174{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140_1.dll2021-07-19 10:44:13.174 11241100x800000000000000057946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.159{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\msvcp140.dll2021-07-19 10:44:13.159 254200x800000000000000057945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:44:13.159{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE2002-02-01 19:02:02.0002021-07-19 10:44:13.159 11241100x800000000000000057944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:44:13.159{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE2021-07-19 10:44:13.159 11241100x800000000000000057943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:13.143{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Windows\SysWOW64\concrt140.dll2021-07-19 10:44:13.143 23542300x800000000000000057942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.105{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c62c.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.105{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF73478E3CD2B49CF2.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.105{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF981FB8DC105D880D.TMPMD5=0D03BDEB646FD0ED913F8CBE06B60530,SHA256=3B2FFC52736281892B24169703CE5F0E2011C3173390F72D297A6C09BF319ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.074{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI7240.tmpMD5=EE6243DF5EA48D929DA4790EFEEA45C9,SHA256=0503FCF7646DAAE6E5445D8C5F248384542D2EEAB4C7D8AD3CD5A47759759A48,IMPHASH=27304803DEB6EEDF56BA2A6E235C6126truetrue 23542300x800000000000000057938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.018{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI71F1.tmpMD5=EE6243DF5EA48D929DA4790EFEEA45C9,SHA256=0503FCF7646DAAE6E5445D8C5F248384542D2EEAB4C7D8AD3CD5A47759759A48,IMPHASH=27304803DEB6EEDF56BA2A6E235C6126truetrue 13241300x800000000000000057937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:13.018{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000057936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:13.002{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\288C719A-D921-402F-93ED-77A6E8F040BE\Config SourceDWORD (0x00000001) 13241300x800000000000000057935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:13.002{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\288C719A-D921-402F-93ED-77A6E8F040BE\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_288C719A-D921-402F-93ED-77A6E8F040BE.XML 10341000x800000000000000057934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:13.002{43EB4363-577C-60F5-180A-00000000E501}78647920c:\Windows\System32\MsiExec.exe{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\Windows\System32\MsiExec.exe+6bca|c:\Windows\System32\MsiExec.exe+7166|c:\Windows\System32\MsiExec.exe+8df7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028740Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:14.208{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381180DF937C6BB56E02111E10B03FEE,SHA256=B9F861C06CDBBE18D65C8B93C38CAE3C94B8F49C82444A2DBCC1AE78CED68B14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.905{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000058013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.905{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000058012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.889{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-577E-60F5-1A0A-00000000E501}3504C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.820{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-577E-60F5-1A0A-00000000E501}3504C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.820{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-577E-60F5-1A0A-00000000E501}3504C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.805{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.805{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.805{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.789{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.789{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.756{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6DF43B8F7E9BF378815B4B481E517B58,SHA256=71A06B6742FCA829584386A8D87381CAE94BEBFC14CD9F3D86CCC9AA8B2434F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.755{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CA244E1A5BA730F36039E0CCEEE931C6,SHA256=2A1482115E5B3108432B7AD13B81B30FC008364ABEC61603062514AF9765C0CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.962{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65099-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000058001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.962{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65099-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 23542300x800000000000000058000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.636{43EB4363-56C9-60F5-D908-00000000E501}7732NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-walMD5=B85CF81C3DAD77757EFCCD26DCEF1B20,SHA256=306EA7C0E6B01B2A7ED339B36C377F56095659F37FE87B210EF1AC401A4CEBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.636{43EB4363-56C9-60F5-D908-00000000E501}7732NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shmMD5=AA401F07B158167796D2B8D01161801C,SHA256=5DC963992AD9F9F037C144D36762C2705EBE7680D9DB3616D85DDEE7E701D017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.636{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D9ECE4B8DC162B2467C7293A6A474BA3,SHA256=4489E8F4FD9A14A5E78C09712C3AF6D76D74FA8EE888B7E423CC656C323ED7DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.636{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=DA986370EE760E42A6E63656C2D47F7E,SHA256=E1EAF80CAA9883F8D4684EA47DCE2AED3E82630403501EBDA958B3E4C33B0525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.620{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF25FE5DC18A13FE01.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.620{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFCFDFBB0FCBCF81F2.TMPMD5=DA986370EE760E42A6E63656C2D47F7E,SHA256=E1EAF80CAA9883F8D4684EA47DCE2AED3E82630403501EBDA958B3E4C33B0525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.620{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF00B9092F0FC4D3AA.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.620{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF6A660DF7B592E1EE.TMPMD5=DA986370EE760E42A6E63656C2D47F7E,SHA256=E1EAF80CAA9883F8D4684EA47DCE2AED3E82630403501EBDA958B3E4C33B0525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.620{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c62a.msiMD5=8F45FCA7C2405E86581E45829C516558,SHA256=F12642BECC030EBCD3964309F63A535B4FC0198990BDC03C3D6652706324ECDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.504{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\y7l8cnva.default-release\cache2\doomed\24677MD5=9CA43F308C17EFBDACFF4106776D6173,SHA256=9E844032CBD30BAF6C3F6DAA669ABF1C722DDC959BD43ECCC3DCF2A55D4EBED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.489{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B248641FAF804306E2AF7FED40550828,SHA256=A54CDC325FBC0F038E4D022258CC14196F83B656BF0B6EABC6E4C07EE3F604DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF6F52F3F668E779FA.TMPMD5=3DB4C0F6BB1D89986424CB567BB6240B,SHA256=AC33BA812417824860B1B83F78268593530A4DEB61387FE05449D78ADEEB14F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.489{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF8DCA68FE1C1F89F2.TMPMD5=25585A18D5FEAAE0B72E14FD10383057,SHA256=52B3FA676392FE91E217B2A4881423EE98886C9B2E6E5FC2DCC3971CB7A58757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c62c.rbsMD5=E60D7F08DAB4433861FDA1DF2847C743,SHA256=FED02BBE1639CCA4C33C6F187281E7C93AE0E1374D22DED850BC501188AA2F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFCA19220E9F248FC2.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD4B2A4AC5CA8B42B.TMPMD5=0D03BDEB646FD0ED913F8CBE06B60530,SHA256=3B2FFC52736281892B24169703CE5F0E2011C3173390F72D297A6C09BF319ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFFBE7DAD1F9B7079C.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000057983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFB0ECACF009B617A2.TMPMD5=0D03BDEB646FD0ED913F8CBE06B60530,SHA256=3B2FFC52736281892B24169703CE5F0E2011C3173390F72D297A6C09BF319ABB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.473{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI71D0.tmpMD5=4CD7B70145372AD3A3C0132375B77ADF,SHA256=F04DB4DBE9A9A52BD6BE3F50E0E6193B68B35A408C7CCBDAA389F94F589C965A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.457{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI7454.tmpMD5=8E81FA5714AF635EDABEF92ED5211750,SHA256=AADE181D78E6DD6ABDA61C33748264B88116945A4F7497B1E003DA47AC70CFF1,IMPHASH=E3EC487F117DDC5C6CD318AF9785DD2Etruetrue 23542300x800000000000000057980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.447{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B8AE19CFAB2F5567CCE23322B60A7813,SHA256=5BAD4A6F92CF511AE3FF5678688E23C39C44F4933EB7DA2474BE66FCBD45AFF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000057979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.442{43EB4363-577D-60F5-190A-00000000E501}78847832C:\Windows\system32\sppsvc.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x800000000000000057978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.442{43EB4363-577D-60F5-190A-00000000E501}78847832C:\Windows\system32\sppsvc.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.400{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D1DD144B70938FA0C477989F651AE14E,SHA256=E183C2F2B741072F2D624ECB2EBAB73B26A23ECD391B710A2295281F8C211B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.392{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=31BF22372C777C0F7977E4F7DCA35AE5,SHA256=28BCC1D8EE62ED968FDB484546331850CAA9DBA0ED0F2CFF2672269E427702E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000057975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.953{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65098-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000057974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.953{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65098-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000057973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.937{43EB4363-37A7-60F5-0D00-00000000E501}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65097-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local135epmap 354300x800000000000000057972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:12.937{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65097-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local135epmap 23542300x800000000000000057971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.185{43EB4363-577D-60F5-190A-00000000E501}7884NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat.bakMD5=16B7F0029E264F6636B863ED46240CE3,SHA256=D54273A0C794D985603400DB07F73EB440953B37C87C2FC90AE1041F1CB9ECC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.064{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E425DF9AEBB912AAB7F098364C69B489,SHA256=7F79238FD37969D19F93CCBACD973524A2B2B4620ACDAB44C9542FF85B2CF582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.064{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC19D0E781348BB0DA9ED512E80B8700,SHA256=7B9906AE5280234392DCB7B7125DA0394724E1373612099FC088774C70EC199C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000057968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.064{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6D917266655023CED133AF44878ED196,SHA256=DCDB8A726539DE6BD480B23B45D938DBB0EEF9A1196B5866178400941CD08D0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028741Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:15.427{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=312876537B84C35B8488BDC960FB89B3,SHA256=11B655AC788C1EBE927AE9D4A1D7DD76E4F1E2C239182F27AAA4C15E24554F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:15.854{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=722E606DED744BD16001EF5F97053888,SHA256=6D38EB9D8370C2405C9243915EE06A8776A98CBA4C21EECF50981D7252760A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:15.118{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED424DFDAB0506FC6194E8B5BC96BD70,SHA256=CD6EC96874FBEB5AB89A9C555E048877423314E98BB702D8F78A1337DC3B0891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028742Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:16.458{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=807CFC9CF797789A6CF33652EC507125,SHA256=BCDE283B46E3CC243C91D97707A9D8A77C6D1E027CD3E50140164901608D5672,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.987{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.987{43EB4363-5780-60F5-230A-00000000E501}72524568C:\Windows\system32\conhost.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.972{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-210A-00000000E501}5084C:\Windows\system32\fontdrvhost.exe0x13ffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.972{43EB4363-55C1-60F5-7308-00000000E501}19442588C:\Windows\system32\winlogon.exe{43EB4363-5780-60F5-210A-00000000E501}5084C:\Windows\system32\fontdrvhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+60dea|C:\Windows\system32\winlogon.exe+3508a|C:\Windows\system32\winlogon.exe+1bbfd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.972{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-230A-00000000E501}7252C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.972{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.972{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a06a9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b360f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43ff8a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440254|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.956{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.956{43EB4363-37A5-60F5-0B00-00000000E501}6244764C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000058045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:16.956{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs\AppCs\S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523S-1-5-18v2.26|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|LUOwn=S-1-5-18|M=microsoft.windows.fontdrvhost|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host| 10341000x800000000000000058044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.956{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000058043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:16.956{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000006e5) 13241300x800000000000000058042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:16.956{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{8D7DF810-1D1B-4776-9963-602509F284D0}v2.26|Action=Block|Active=TRUE|Dir=Out|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host|LUOwn=S-1-5-18|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|EmbedCtxt=Usermode Font Driver Host| 13241300x800000000000000058041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:16.956{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000006e4) 13241300x800000000000000058040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:16.956{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Configurable\System\{0A8571D6-2487-41A5-A3ED-C1C99961FC3F}v2.26|Action=Block|Active=TRUE|Dir=In|Name=Usermode Font Driver Host|Desc=Usermode Font Driver Host|LUOwn=S-1-5-18|AppPkgId=S-1-15-2-95739096-486727260-2033287795-3853587803-1685597119-444378811-2746676523|EmbedCtxt=Usermode Font Driver Host| 10341000x800000000000000058039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.941{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55C1-60F5-7308-00000000E501}1944C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.941{43EB4363-5780-60F5-200A-00000000E501}74568180C:\Windows\system32\conhost.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.925{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-200A-00000000E501}7456C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.925{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.925{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5780-60F5-1F0A-00000000E501}7532C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a07cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a0903|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b3834|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43feb9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440254|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.925{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.925{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.909{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.906{43EB4363-5780-60F5-1D0A-00000000E501}72567468C:\Windows\system32\conhost.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.905{43EB4363-5780-60F5-1E0A-00000000E501}12927304C:\Windows\system32\conhost.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-1E0A-00000000E501}1292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-1D0A-00000000E501}7256C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-564B-60F5-C908-00000000E501}65768168C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+108f89|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+73a3e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+738ca|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44f6d5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44de4c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.871{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5780-60F5-1B0A-00000000E501}5216C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a08b6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b3834|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43feb9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440254|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000058023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:16.840{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\Client\C2R32.dll2021-07-19 10:44:16.840 11241100x800000000000000058022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:16.840{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Program Files\Microsoft Office\root\Client\AppvIsvSubsystems32.dll2021-07-19 10:44:16.840 13241300x800000000000000058021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:16.825{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\O365ProPlusRetail - en-us\PublisherMicrosoft Corporation 354300x800000000000000058020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:15.172{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65101-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:16.148{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B25BC4AA1A4FF5A9DA4D3DD780DA8D62,SHA256=5792AB6A740BCAAFE58726E0C9E4A80C56E6F57C61F757DD1EB7829EF5560E14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.745{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-876.attackrange.local65100-false10.0.1.14win-dc-876.attackrange.local445microsoft-ds 354300x800000000000000058017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:14.745{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65100-false10.0.1.14win-dc-876.attackrange.local445microsoft-ds 23542300x800000000000000028743Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:17.583{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1AAC2D1D879357450E8FC2ADBAEF0B,SHA256=06C267BD13E9DCAE763A6C354D6053789CD806466AB8556EBDF310684307ECC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.968{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.965{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.965{43EB4363-564B-60F5-C908-00000000E501}65768168C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+108f89|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+73a3e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+738ca|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+11f08a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44de53|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.961{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.951{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.943{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.938{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.938{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.930{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.928{43EB4363-5780-60F5-1C0A-00000000E501}7460NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\Temp\WIN-DC-876-20210719-1044.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.926{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.905{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010CE474DAA48E5F8BF76325EEA58490,SHA256=BED5E5E43941DF5F0BD2014BC8EA06408063B618E7DACCFA22172E32BA8166F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.901{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.891{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.890{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.887{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.885{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.878{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.878{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-343.datMD5=78D06D7801BCB7D4B47D85E8C86BC976,SHA256=96CE8B1E19A6A634AA809C531AD2EE7E0A12BBC8B86DE352A0D95A3879DFD593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.868{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.854{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.854{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.853{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.846{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.842{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.838{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.837{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.836{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AB907E061737E628CD07DD8E97A8C9,SHA256=3C8FC16F8D8EBB3400040680110C870EB0B2B306521172E98F8943779226C4DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.834{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.828{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.810{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.805{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.804{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.802{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.797{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.795{43EB4363-5781-60F5-2F0A-00000000E501}10047652C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.789{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.778{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.775{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.774{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2F0A-00000000E501}1004C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.765{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.763{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.763{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-2E0A-00000000E501}7708C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a07cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a06d0|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b360f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43ff8a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440305|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.759{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.758{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.754{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.751{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000058203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10532021-07-19 10:44:17.743{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office Automatic Updates 2.02021-07-19 10:44:17.743 10341000x800000000000000058202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.738{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.738{43EB4363-55F0-60F5-A708-00000000E501}63404352C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.738{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.738{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.738{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.728{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.720{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.720{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.692{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-218.datMD5=7C54EE76D5D897B46F98604C4C2B4385,SHA256=394024FB951A4F97CDD402D7211C0A9568CD0E6341FE3B8A513CCB7ADB43EEA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.691{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.688{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.684{43EB4363-5781-60F5-2D0A-00000000E501}77244944C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.680{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.675{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.674{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.670{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.669{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2D0A-00000000E501}7724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.660{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.656{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.642{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.630{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.630{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.630{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-2C0A-00000000E501}1304C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a06a9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b360f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43ff8a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440305|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.624{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.620{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.620{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.620{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.616{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.615{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.614{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.612{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.582{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.576{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-62.datMD5=AEEE6A80313C491BD2E26FE72FD385FB,SHA256=7D27CD41A89C3414D26155AA1873D3DE19FB068C17C9D4BC584F9CBDD0C771D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.575{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.571{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.570{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.558{43EB4363-5781-60F5-2B0A-00000000E501}7964616C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.556{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.552{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.543{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.532{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2B0A-00000000E501}7964C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.515{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-2A0A-00000000E501}7648C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a07cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a0903|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b3834|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43feb9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440305|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.514{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.511{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.497{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7AC825B983802D3AF3F9AD769BF5C82,SHA256=31A6C4538E97A18CBC0CEFBE54EF51B53602BC6846F38F01F60FFF1D21B1B563,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.496{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.484{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.483{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.483{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.476{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.457{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.457{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.456{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.453{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.450{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.448{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.439{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.420{43EB4363-5781-60F5-290A-00000000E501}81006236C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.411{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.408{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-890.datMD5=1D69696FF2E6AA855568F00E8360B2A9,SHA256=F22178FD63418EDFC1EF97EC87BFBA525F09400C55A11BA1721B1B1ED495B871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.405{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.405{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.403{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-290A-00000000E501}8100C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.396{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.395{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.387{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.379{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.379{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-280A-00000000E501}4100C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a08b6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b3834|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43feb9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440305|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.377{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.362{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.361{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.359{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.355{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.353{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.350{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.345{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.345{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF6AC10AC2481B79F1C57F2D9A293A0,SHA256=4812B31E3B6986F69410EA1B55FF693055E8180FBBC6803F7774B6D16ADBE0CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.344{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.341{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.340{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.336{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.319{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.313{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4B0FDB66E84C94B3E9EAEF75F55418,SHA256=E8FE0E9E2036C9E0A22F7AEAB7DF594FFC4BBA113F2457979E5F442A259365D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.306{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.295{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.284{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.279{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.277{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.264{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.258{43EB4363-5781-60F5-270A-00000000E501}60642972C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.255{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.252{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.252{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.248{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-734.datMD5=ED994631C6633B820C0AE937D6518EB8,SHA256=2F09426C76F94C074CFECB049EE173AEAF664B89EBD83CAF83B68E937B7237C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.228{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.221{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.220{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.219{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-270A-00000000E501}6064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.215{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.206{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.205{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.195{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.191{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.180{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.180{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-260A-00000000E501}6428C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a07cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b3960|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44029f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.179{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.174{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.174{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.171{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.167{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.162{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.157{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.153{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.144{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.130{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.125{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.123{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.112{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.105{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.103{43EB4363-5781-60F5-250A-00000000E501}69566624C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.088{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.072{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.072{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4827DFF16531F42BB76ED290DDF32AD,SHA256=2E277833BA271F97715B538671179309F3B3DCFD64ECFA4F2FBC8EDC5F166F4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.072{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.072{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.056{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.056{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.040{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.040{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-250A-00000000E501}6956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.040{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.040{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.040{43EB4363-564B-60F5-C908-00000000E501}65767300C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5781-60F5-240A-00000000E501}6060C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a07cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+3a06d0|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b360f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+43ff8a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+440254|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4865fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.025{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.025{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-1C0A-00000000E501}7460C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.025{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.025{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.025{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000058060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10532021-07-19 10:44:17.009{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office ClickToRun Service Monitor2021-07-19 10:44:17.009 10341000x800000000000000058059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.009{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.009{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.009{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.007{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:17.005{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5780-60F5-220A-00000000E501}7232C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028745Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:17.060{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028744Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:18.599{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47E21A4486D478CFF63A243EB0AC560,SHA256=AB6D7A1F5C676C26A0A36F3CF251114783D6E83BE4E41ABC1EBDC1D2A19C6BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.988{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B8413853FB847FC241DB37315B7D93C1,SHA256=A9E8410157D9A42EF8F7AED31CD555948ECAB2BB1AA6B80DA68347C304FF5163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.982{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9428C63DA6BE1BAE29FFE51B23463E68,SHA256=ED5167CC73BCD80D7F55E9E8D8B695AD7AAF2B9BFD6864A1BBF5406365E8D491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.980{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=63A0BFDEA1121173EF39591C69A5C23D,SHA256=02650F2CB13B833C1E511AB3E2A0797BAAFB9BF79389E0539239718059DE2991,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.980{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.970{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=42E8CF471E6C46682CAD28AC300B6D5D,SHA256=F9AC275F7DAB50E0BED5C83721A488165275B2294B3510BB1D61276CE78694EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.962{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-453.datMD5=DF1A7835E8B36DC561CD9FF41290068C,SHA256=91C274F2BFA934B2705F8C8292EEA9BE067EAB5690AAC627DEA24B8AF6712CB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.962{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.961{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.959{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.958{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.956{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.939{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.928{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.922{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.919{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.918{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.917{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.911{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.901{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A296ED00B22CFD443C863E3460BB4AB,SHA256=385A388DAA9671196DD2C350D25949592E90DC9ACA5A5782065BD0DF7FC3FFD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.896{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.892{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.892{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.888{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.879{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.875{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.873{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.854{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.846{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AF9EFB3E7E1A9C02390508DEF7BDC63F,SHA256=7A0A2E3B538CA1596228C50CE3C84F7730585C87D53256F7DBF6DFF9CDFF979D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.844{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.840{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.828{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.819{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.817{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.815{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.809{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.802{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-296.datMD5=53DE200C18BB667BB1DF67C987A58B7F,SHA256=981AFCF6F138102CB04AAF83F59FE72C6FEF43914596F7C1B34740E13D0353FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.800{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.798{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.797{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.795{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.787{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.787{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.768{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.760{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.754{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.752{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.751{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.743{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.729{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.724{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.722{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.714{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.709{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.708{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.702{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.695{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.693{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.692{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.690{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.657{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.653{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.649{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.649{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-140.datMD5=CD3E1261141DFDA05C6B6FF56673B97F,SHA256=2495043260B63860951CC38F06A68638532D168C67A8739029DC76DB2392D329,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.648{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.641{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.639{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.633{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.613{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.600{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.599{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.594{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.588{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.583{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.580{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.577{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.564{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.563{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.561{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.559{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.558{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.542{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49135559EEAC42611C2F5855C55953B5,SHA256=9547996DAA94B52848D19D732E1B5D7633E68EBCA7A509051AA18747F48FF992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.539{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.531{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.528{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.517{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.510{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.509{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.507{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.490{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.488{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-984.datMD5=0F5C9B5A9392319E3DCF5E17E0F8B3A4,SHA256=0927B05782578529C3BDDE7CE057CBCDFB1DA03A3D7B7E734F67A199D06D22BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.482{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.480{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.473{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.468{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.465{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.463{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.462{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.446{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.440{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.434{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.430{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.422{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.422{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.419{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.416{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.412{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.410{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.393{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.375{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.373{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.372{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.369{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.349{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.343{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.341{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-859.datMD5=7A2A774FF60B843B8B9BE20B7ABAB5EA,SHA256=8DD1FEB4E8BC348CFB6C1662A8E486474C110E980A32DA0C86CCB36CC81248FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.335{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.331{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.330{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.322{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.319{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.306{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.299{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.292{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.286{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.282{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.281{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.280{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.276{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.259{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.253{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.246{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.243{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.238{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.231{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.230{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.229{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.218{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.213{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.209{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-703.datMD5=C5CD832C2B34D93D333935DA02116EB9,SHA256=E3A6F092209400EDAA24CE87A5099C5DA50321A4E581A6E716089D75A8E6D749,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.207{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.203{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28735A3D6D2B6173EC152C52E37C4D98,SHA256=CF3301B5E885ADFDF2D2722C4F29623446D2C9225C83CF53EEF730D5E53FF0CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.196{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.193{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.192{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.184{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.179{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.178{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.145{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.143{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.139{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.136{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.134{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.130{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.129{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.121{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.113{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.112{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.111{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.110{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.104{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.104{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.094{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC379E63BE3EFB82B06EB837D5AE7B34,SHA256=F29F7F306570EE636F32C8C66BD9C03BBBAA2A3A114CCFB5D1B9DAE2EFA5C68B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.090{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.084{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.079{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.073{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.066{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.061{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-531.datMD5=F2AA6907B5CFA5919915CC314783D3B3,SHA256=5F8F7E7138DAEFD1E2E0156CB474AB3E444415C35F82AF5FD233D101E0AECDB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.060{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.059{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.051{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.048{43EB4363-5781-60F5-310A-00000000E501}78442384C:\Windows\system32\conhost.exe{43EB4363-5781-60F5-300A-00000000E501}8128C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.044{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.037{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.035{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.027{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.023{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5781-60F5-310A-00000000E501}7844C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.023{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.022{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.012{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.008{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.000{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:18.000{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028746Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:19.818{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F2FDFA0DE3BBA90AECB789814891F54,SHA256=ED651445EEB0A0492DF600BCC79BD8F16B039FC1988D3BCC61669CE21598C501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.997{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BA1374E9569D477C548F71CDF06531FA,SHA256=1D720941EB8F69EC2666B0E87631E61D207A6739CB39CBF792CF826B5B1FF51E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.996{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.992{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.986{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.966{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.960{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E2B38FE3BD33F99469F6759490FEF5F2,SHA256=6FAEF3CE222876A14BA492556622980A1F1520403DEF824CAF79157E35F760F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.958{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.948{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FBCC95173CF1D4375B7889ECE4766DAD,SHA256=FEDAC7CD599E5B76A2DF3A89D19431CF778D8C90ADA696FAC1A5E0DCAA5B1D16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.947{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.939{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.935{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94B95D4B0C278F06E7079A566937075,SHA256=3A9C167097D2F57CF11EFF8AB938BF5A4DE7D8B0D2DD30A9B87546B4958DDAE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.915{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.912{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.908{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A7CBEEB55BD981088F9A31C566066D17,SHA256=F04BA9F5E770310862D9A42E58D1FD988F834DB205E0EE08041247BDE2E7D57F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.905{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.902{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.898{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.897{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.894{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.888{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.885{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-359.datMD5=56CC678F24528C74BE19937B1F52874D,SHA256=B4DE0B4B3715CCAD41BF9AA807023CC0883642B4F1137091E1552A79331329D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.880{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.880{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.876{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2B32560E95BBBD82DA244080039461E8,SHA256=46D44E425B8132600FE64AC97B34447C48517B7199CC14199DA253E4B13A2B78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.873{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.868{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.851{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.839{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D69D815F4D6AFF37FC2CCC79613B0D52,SHA256=C49E72F71D74369A97F0F13A9519E430322094FA9465F4886AEC21E8D2055687,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.834{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.830{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.828{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.822{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.819{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.815{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B001A851213FA6D8396A04E4BAA7CD6A,SHA256=F887560B39AFF084C8A2157BC8DE016A17DA5B80CD0163B27D852BB7440B2412,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.815{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.812{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.807{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.790{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=33EF0F02ABF81CE8A086B29D2D69E09A,SHA256=318E033770625179B70B7F4CD8AD13AD4CDEC37DDFC0321B3BF3F1269D82C0DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.790{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.781{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.780{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.779{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F2A44BD56A8A78A7FC5FB40CF8A525B0,SHA256=5AC9C140346B95979082B9E278BCAEA2770D75C506D082AD144CD2206F20AE4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.768{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.750{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.743{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.741{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.741{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3458A9D10591F3C82A74A2AC65EC72D1,SHA256=3D61C0EBD34A50E6CB6EF8BDAA9247DBD36272DF1AA181098321337FF9BB6056,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.738{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.730{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.729{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.712{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.709{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-171.datMD5=DBB14594C827D8FDFB72F9B248889889,SHA256=4D205B5100F821D5BC98A896A8EDBA3E0672E99EF4C3B492BA5FF43875A4224D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.706{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.702{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.701{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C1BC319FA8341D7B19C4D4E765364C14,SHA256=9347D28DB80DD7D41C9341410A60BE8B46CF37E283D033745F11B7C9D3DF8B45,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.693{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.688{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.677{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E4C70D0F78AFCDE9B06B659D870C93D4,SHA256=57BB47B745326430FBE840899393420892453E15EE25E8A1364CFF62649C8DE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.670{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.668{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.663{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.654{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.652{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.641{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.637{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.635{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.635{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=43760AB26925551D4DDFB36FB4D82979,SHA256=F9CFF12579DC4A139A6787F2EB334C5C3FA265B8005A28C17BDA27375069128B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.625{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.620{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.618{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=040940D7E50D5E2D87309F579FE61BD7,SHA256=0E4DB6B92AA6D746E4CFF793BFE31264B8BB0DC7C26D7981D46333FF2469548D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.617{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.610{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.607{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.602{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75B75EA00AF3A1C7A6A2CC0CF476F115,SHA256=810433A04C42B63CA8C500FCB5E9848B1D26E46B727488FA2AA1B77F2492B59D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.578{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.578{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.575{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.573{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.570{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.542{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=DFC02961EBB026F54CB62B28FB7B2007,SHA256=9A0090C4C6C74CA232B70B37F395B63041BCE5831D8F210E5B688E2155571241,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.530{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9C7B234E5AC04C469554BB045D5D99DF,SHA256=26DD624036C355AF9C639964A62F07B0993FB8A225F705BE647942B480537278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.529{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.528{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.527{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-984.datMD5=A569139E810F662C3042399E18B33052,SHA256=71C87E0CFEC0EB0C6758220F65C6C9EC5C125820616F59AA1A8D2E5878754CE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.526{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.522{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.514{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.496{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.494{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.489{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.484{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.480{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.467{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=801212BFF1321B1EAAC963210B8B6669,SHA256=7298311ED3AD2FEC1947B7AAA6B07B159007E3CA1C9CEB02DAA89911A3A90543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.451{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.450{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.445{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.442{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.438{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.438{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.435{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.414{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9055BA37A6F8C87D8E93D10ADCDDF46C,SHA256=41783F3D8422728BCE0045310A3B95646140C531AB8CFBBE036633BCEF779EAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.413{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.405{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.404{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.402{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.402{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.397{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.394{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.390{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.376{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.371{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.368{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.367{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.367{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.356{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2FBBA9415C6D33861B3BD22434075836,SHA256=0CFE90E68A21F47135575F6435484B88F955BA584656D86575BB13D37917F34B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.344{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.335{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-796.datMD5=2F597ED9E49E0E68B6BADFC49E6346B1,SHA256=9B6DC46824C6D41A602C7C14A8AD2F46655580D1AC593D1BE3A10321C0768B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.328{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=8E233CE310712AA6FDAD1B84D842C4DE,SHA256=6D98F07FA65A5BA1CD7761C0313939EA11F05F4D6664BF7B4C2F4F74A5724ECC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.327{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.327{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.318{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.317{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.316{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.294{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.284{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.281{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.279{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E2199B6931266BBF65D30B8C426B3B40,SHA256=36B9D8B44D51515FB1C39A7BF4EF1F897BD2DEC719013ECE0EB4AF2FA1B075FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.275{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.273{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.269{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.269{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.254{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.250{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.249{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.246{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A57FC073214A480EDDE7A47CF5C63C99,SHA256=E1783A9986FDD54FC2EA31485097BA4676D0046D4812E202FBF30F6A711C852A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.240{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.231{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=52167837071E40A93740BC2ADA620D4C,SHA256=C0F853A2DDDACB66B6AD6EA01FCAB7EFBB60D12CB78E703E7017CF65001CFFBC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.231{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.224{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.219{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED1488426FF7DEDDF79B195D0F8D535D,SHA256=2E1A7E6E66F230C88EEF019058B352C7FDD85B997DF5694080F9829D7AE81250,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.217{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.196{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.192{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.188{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.184{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A431ECCD935C67D189B5CD6D61F9E841,SHA256=5C774451B81D1A71C74F083EF81F9F4F4C3FD806B9A3B6CC911D35BBD5E90702,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.177{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.174{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.165{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90712D8E20A4B25F41D93AAF1B08C2CF,SHA256=CE232E9D0C47B71DF7F57CD5F4082D0DB7798E464ABB0C616D93E5AB602B3CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.163{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5750E2E07205CF43F2DDF43A32B3244B,SHA256=AA91C38B6D37AAF93F8947C1290F793B2A805EE31D4015DAB38F40906F1732F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.163{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.159{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.154{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.153{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.151{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.140{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-609.datMD5=523E3CDD9D63F0DBDFE204E81445258A,SHA256=6751D25894D4A8DA9427739E68DA6EEA044DF738AEB8D058BF8D4BD1E6ADC9F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.140{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.119{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.112{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.111{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3DC8EA1BC9AA7FA8B1DF891D53F16EF7,SHA256=4D7751AF92F60999355C73EACD5E74EC056BFBE7977748EDD6D40B0D0911E37E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.108{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.106{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.099{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.098{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.082{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1369ED54552E6CD093FDFCB052D5CFCF,SHA256=5109EEC342CBCA6A4005F2D6BECD32A1586DCB6469B9991A5F33971BB6B89184,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.079{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.075{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F54D995C554A84A14715635D68854B22,SHA256=629DF17768C2827F4BCA1FD327A25F836242690602EBA600E956272643E9463E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.068{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.062{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.061{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9FE8C083BEBF55C7729AD571545E484C,SHA256=067536EC85FF4A0D4BADBE79A9A88B5D24CE836B0DA8F5111A13CCD597F2CBFE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.060{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.052{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.051{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.032{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.029{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A4C0B873151716A8F95845F67B87DDCA,SHA256=3B620D734B4DE14816679348FC5648AD6E4B4BD9C3CAAFD81A5D4942DE19A631,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.021{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.010{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.020{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.014{43EB4363-55F0-60F5-A708-00000000E501}63404352C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.009{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.004{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9BDB40A28B17964791889300F01A697E,SHA256=C3C5410068FBAF7A7DD7191E1045B9E95A03EECD06101A8C3D331FD8C5A95944,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:19.002{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028748Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:20.989{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8CC93BA296B787B4A6681432C54292,SHA256=1401034D7C2AD7491D986365303A505F8355348092BDCC150F2B93D81F2C951C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028747Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:20.958{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=98D97C3558EF313618C8EC453BB4841B,SHA256=32E3ED12932A45C5BDDBBD757945AE29665B7DED1650120DB3D222E4D6E2B142,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.997{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.997{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.988{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-390A-00000000E501}7648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.988{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5784-60F5-390A-00000000E501}7648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.963{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5784-60F5-380A-00000000E501}5104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.956{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4c224|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4dd30|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+584fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+57f5f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+56e48|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.951{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-380A-00000000E501}5104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.951{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5784-60F5-380A-00000000E501}5104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.943{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+73c87|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+7522e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+14519|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a430|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000058742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.943{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+2d73e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+16070|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+15184|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17233|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a40c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 10341000x800000000000000058741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.925{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+976c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.923{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5784-60F5-320A-00000000E501}7468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.921{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5784-60F5-370A-00000000E501}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.909{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-370A-00000000E501}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.909{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5784-60F5-370A-00000000E501}6652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.866{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.865{43EB4363-564B-60F5-C908-00000000E501}65768168C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-360A-00000000E501}6604C:\Program Files\Microsoft Office\root\Office16\perfboost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+42693f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44ec27|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44dffe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.844{43EB4363-5784-60F5-330A-00000000E501}7456NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\Temp\WIN-DC-876-20210719-1044b.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.829{43EB4363-5784-60F5-330A-00000000E501}7456NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeMD5=5F151F4A44F32D83E060B1AB7FD51820,SHA256=5C18C4CC9CDF45EE1B56D63F9D2CA160ED67F5DF644C8B6202805693C17D4B05,IMPHASH=E8BEA05A14048595A134B0431534A6DFfalsefalse - rename failed with status 0xc0000022 10341000x800000000000000058732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.740{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.739{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.706{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.701{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.667{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.665{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.649{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.648{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.626{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.624{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.618{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.617{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.615{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.614{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-15.datMD5=F8829E746BD704BCCD0C0F3EF26937DF,SHA256=50CAD5BB5A157219454271F89036742DBE01BD4298AECC254C30CD07B767CF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.594{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62DF38A276575DB32AC400DF0AEAAA65,SHA256=C6F7FFAF1D11C1A0633F067319F8ABD6179E0EB87538D14F132FF2A8DB31C74A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.588{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.565{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.555{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.555{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.550{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.547{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.546{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.519{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.518{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.513{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.512{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.505{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.505{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.502{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.488{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.470{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.465{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.460{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.455{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.451{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.433{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.422{43EB4363-5774-60F5-2109-00000000E501}72607104C:\Windows\system32\conhost.exe{43EB4363-5784-60F5-350A-00000000E501}6060C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.415{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.414{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.412{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.399{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.397{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-350A-00000000E501}6060C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.395{43EB4363-5774-60F5-1E09-00000000E501}75847600C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{43EB4363-5784-60F5-350A-00000000E501}6060C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(0000000004444853)|UNKNOWN(0000000004444504)|UNKNOWN(00000000044452ED)|UNKNOWN(0000000004442845)|UNKNOWN(0000000004440F66)|UNKNOWN(0000000004440950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1234a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1862b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+199457(wow64) 10341000x800000000000000058689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.386{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.382{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.382{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.376{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.374{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.368{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-765.datMD5=40C7A6FAE704B491D5BDE1B84E617E89,SHA256=D52D3586BC558D6D71D25C1A5EC83965CCA11C03785931A1DDF855AA08B8C20F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.359{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.355{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.352{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.340{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.336{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.336{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.321{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5784-60F5-330A-00000000E501}7456C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.319{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.316{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5784-60F5-330A-00000000E501}7456C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.316{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5784-60F5-330A-00000000E501}7456C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.309{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.305{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.304{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.296{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.275{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.260{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.259{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.255{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.252{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.248{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.248{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.237{43EB4363-5784-60F5-340A-00000000E501}71283860C:\Windows\system32\conhost.exe{43EB4363-5784-60F5-330A-00000000E501}7456C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.236{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1AE5DB8BF8275E03EEEDFD109D9FDC,SHA256=7C15863E9407FBD2072A46881BB7823C0952477E6F236829BD0A58E358F600CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.235{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.227{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.224{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-340A-00000000E501}7128C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000058657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.222{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56499B8A94D547F362463E7C9ED4F375,SHA256=685D3F3B47DEBDB7D76F6DE77ED17A1FFE350640DA19C5B0FD22CC9583F318A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.213{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.209{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.207{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-330A-00000000E501}7456C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.206{43EB4363-564B-60F5-C908-00000000E501}65768168C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5784-60F5-330A-00000000E501}7456C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+108f89|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+73a3e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+738ca|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44ed06|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44df94|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.206{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.198{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.185{43EB4363-5781-60F5-300A-00000000E501}8128NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\Temp\WIN-DC-876-20210719-1044a.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.183{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=37167D9C880CB674DE0C534662068650,SHA256=0AAD9D0D0CB1AD1C6D39BFE1B2AFE52A78F8155BC74194E4B37E3047CC3193EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.174{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.171{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.167{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.166{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.164{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.155{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.138{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=978A35250606BA350C6DDD8DE4F96201,SHA256=6E6792F465407D6AA8F20407EE7430305EE2385B847F43D245BA0ED12D676F56,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.128{43EB4363-5774-60F5-2009-00000000E501}67164680C:\Windows\system32\conhost.exe{43EB4363-5784-60F5-320A-00000000E501}7468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.128{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.122{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5784-60F5-320A-00000000E501}7468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.121{43EB4363-5774-60F5-1F09-00000000E501}61965588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{43EB4363-5784-60F5-320A-00000000E501}7468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FFD80825A07) 23542300x800000000000000058637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.121{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F1B9FD31AAA274A29FF2AD042CAE5DC2,SHA256=F1CAC1DB13C54BFEA313712A9E3FFED74792B3681F01B808F85FC44355349988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.118{43EB4363-37A7-60F5-1200-00000000E501}356NT AUTHORITY\LOCAL SERVICEC:\Windows\system32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\FontCache-Obsolete-531.datMD5=9C22DBA0A4A8784558EBB85F2771CF4F,SHA256=C6255C66AE3A755554C05FB30A0F2436BF61BA7724C3A3900329118946257DD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.114{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.110{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.107{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.092{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.087{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.082{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.079{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.078{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.078{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.070{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75BE85CDEC9FA8AE43F56420B9DB7E4D,SHA256=6D9A9CE8720F034F5E3EC4339F83B3423FFB675B70E135F5B3BF8E4514B1ACB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.055{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.042{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.042{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0E3319D094BF3072E6F0E9AC32128C42,SHA256=8FA50A2EAA51E2A2E1E897A86F87FF0AF74FA369DA0E8A5C2C61ABEF21BBF3F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.040{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.034{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.033{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.033{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.029{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.007{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+92093|c:\windows\system32\fntcache.dll+68312|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.005{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:20.000{43EB4363-55F0-60F5-A708-00000000E501}63406528C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\firefox.exe+2cf50|C:\Program Files\Mozilla Firefox\firefox.exe+2caa3|C:\Program Files\Mozilla Firefox\firefox.exe+40db0|C:\Program Files\Mozilla Firefox\firefox.exe+40aac|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028749Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:21.365{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.995{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5785-60F5-3E0A-00000000E501}7904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.982{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5785-60F5-3E0A-00000000E501}7904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.982{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5785-60F5-3E0A-00000000E501}7904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.955{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5785-60F5-3D0A-00000000E501}6148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.945{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5785-60F5-3D0A-00000000E501}6148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.945{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5785-60F5-3D0A-00000000E501}6148C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.849{43EB4363-564B-60F5-C908-00000000E501}6576NT AUTHORITY\SYSTEMC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xmlMD5=C580A0F2286758CF8F18814FDEB09096,SHA256=07257ACD73BE31404F7E1C567D02F24DFDE9EE3349A2F4D8B505FC65392304F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.739{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.730{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.712{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.700{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.447{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5785-60F5-3C0A-00000000E501}7304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.435{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5785-60F5-3C0A-00000000E501}7304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.435{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5785-60F5-3C0A-00000000E501}7304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.403{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5785-60F5-3B0A-00000000E501}7784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.392{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5785-60F5-3B0A-00000000E501}7784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.392{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5785-60F5-3B0A-00000000E501}7784C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.354{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5785-60F5-3A0A-00000000E501}7684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.342{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5785-60F5-3A0A-00000000E501}7684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.341{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5785-60F5-3A0A-00000000E501}7684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.215{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A2F7368A45D57F2A16550AFB6D5CBB,SHA256=21E2FCC430948C69A62C410AB4DAE4706164CFCD7D2E709E10C5F9E574EA06C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.182{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=520D75BB35277B0F190A5CED7C95DAFC,SHA256=BADC7F769ADA1581E6B9549E35BB6D0ECEABF709D1F7977B7C75D59893010AD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.182{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC795E6447736A2C9F75666EA0FE78B9,SHA256=3F1320AE9E7EAD3CBB049296D95DCEC7EBFFF3FCA810E3F84AF220D31A382C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.013{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.001{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-5784-60F5-390A-00000000E501}7648C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028751Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:21.232{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000028750Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:22.021{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C272D4B4A75047ECA95EF92A5AFBE2,SHA256=ECA5F9C8B0E696405EE3F97A85ED68182432A0EBC41500D3C47D3C0971574E22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:21.004{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65102-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.441{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5786-60F5-430A-00000000E501}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.425{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5786-60F5-430A-00000000E501}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.424{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5786-60F5-430A-00000000E501}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.387{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5786-60F5-420A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.368{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5786-60F5-420A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.368{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5786-60F5-420A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.360{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF8A66301A5C83C0831FC084E91D76B0,SHA256=DF6CFE04BF11F065274D37E86CC958FF316A24C22500EDC038D70555576D7A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.339{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD5E3FC010EC5B142FB24C7940A8E9E,SHA256=FECD2321BC02BE1E1883B387450AAC7217D2ECE4C601376016F4E76BB1E4A5A4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.254{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5786-60F5-410A-00000000E501}8096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.239{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5786-60F5-410A-00000000E501}8096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.239{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5786-60F5-410A-00000000E501}8096C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.178{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5786-60F5-400A-00000000E501}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.166{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5786-60F5-400A-00000000E501}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.166{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5786-60F5-400A-00000000E501}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.120{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5786-60F5-3F0A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.108{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5786-60F5-3F0A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:22.108{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5786-60F5-3F0A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028755Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:23.588{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39BF-60F5-1500-00000000E601}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028754Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:23.588{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39BF-60F5-1500-00000000E601}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028753Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:23.588{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39BF-60F5-1500-00000000E601}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028752Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:23.088{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E066ABBD25E4219A5F12F5591D3D7B02,SHA256=A4E3CCBA30DFE18F6E963D29273A920799A60A27214962424C44612E11788651,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.967{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5787-60F5-4D0A-00000000E501}6680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.952{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5787-60F5-4D0A-00000000E501}6680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.952{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5787-60F5-4D0A-00000000E501}6680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.867{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5787-60F5-4C0A-00000000E501}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.867{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5787-60F5-4C0A-00000000E501}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.867{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5787-60F5-4C0A-00000000E501}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.821{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5787-60F5-4B0A-00000000E501}6064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.805{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5787-60F5-4B0A-00000000E501}6064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.805{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5787-60F5-4B0A-00000000E501}6064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.648{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5787-60F5-4A0A-00000000E501}7252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.636{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5787-60F5-4A0A-00000000E501}7252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.636{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5787-60F5-4A0A-00000000E501}7252C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.595{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5787-60F5-490A-00000000E501}7844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.583{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5787-60F5-490A-00000000E501}7844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.582{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5787-60F5-490A-00000000E501}7844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.547{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5787-60F5-480A-00000000E501}8156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.534{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5787-60F5-480A-00000000E501}8156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.534{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5787-60F5-480A-00000000E501}8156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.445{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9151DD7730F82F2D8915CB5E31167A14,SHA256=28A3AF628B08FCE8C478FAC6793642D169D20FEF506C37F21962E41E7D692BB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.420{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5787-60F5-470A-00000000E501}8144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.408{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5787-60F5-470A-00000000E501}8144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.408{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5787-60F5-470A-00000000E501}8144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000058805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:23.381{43EB4363-5787-60F5-460A-00000000E501}7360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1cc0-0\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.dll2021-07-19 10:44:23.380 10341000x800000000000000058804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.280{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5787-60F5-460A-00000000E501}7360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.267{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5787-60F5-460A-00000000E501}7360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.266{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5787-60F5-460A-00000000E501}7360C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.265{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECB45A8F08B72E78AA9A177F2AD6EC3,SHA256=CC702064A8BDC5076F366F98552868A4FEAD9EDD97BC0BE39F98B56FF1707F1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.233{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5787-60F5-450A-00000000E501}7800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.220{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5787-60F5-450A-00000000E501}7800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.220{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5787-60F5-450A-00000000E501}7800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.189{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5787-60F5-440A-00000000E501}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.175{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5787-60F5-440A-00000000E501}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:23.175{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5787-60F5-440A-00000000E501}6900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028757Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:23.002{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028756Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:24.322{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED22DB4A7D4F975EDB2E212884982B4,SHA256=6BF1D30DD3C0A22B5530894785DF45011F99CAF2E0FAA51707C3B0B686119F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.715{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=3368965E4FEEB1D09999677DF34C9BAA,SHA256=B431BFD7796AD4470D7974F23DA7EFCA4D5700555274F2E26DD72C0290363825,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.577{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5788-60F5-560A-00000000E501}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.577{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E1DAC8599A7CD20CFA4BE63E2122139,SHA256=3BAB7A40D0622C5445A00F68F7C419121785F170DDAA8D49E6F3A076ED6E2573,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.577{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5788-60F5-560A-00000000E501}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.577{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5788-60F5-560A-00000000E501}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.546{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86621ABA3F41B25883A7E1BD9E143D94,SHA256=DDD3053C420229CEBA99A0100322B4F4C2F1C8A9E3F71F261C3F5A3828EBDA4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.515{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5788-60F5-550A-00000000E501}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.499{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5788-60F5-550A-00000000E501}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.499{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5788-60F5-550A-00000000E501}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.462{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5788-60F5-540A-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.446{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5788-60F5-540A-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.446{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5788-60F5-540A-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.415{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5788-60F5-530A-00000000E501}7948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.399{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5788-60F5-530A-00000000E501}7948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.399{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5788-60F5-530A-00000000E501}7948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.331{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5788-60F5-520A-00000000E501}5276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.315{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5788-60F5-520A-00000000E501}5276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.315{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5788-60F5-520A-00000000E501}5276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.296{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5788-60F5-510A-00000000E501}7460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.284{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5788-60F5-510A-00000000E501}7460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.284{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5788-60F5-510A-00000000E501}7460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.250{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5788-60F5-500A-00000000E501}7412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.237{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5788-60F5-500A-00000000E501}7412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.237{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5788-60F5-500A-00000000E501}7412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.197{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5788-60F5-4F0A-00000000E501}7296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.185{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5788-60F5-4F0A-00000000E501}7296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.185{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5788-60F5-4F0A-00000000E501}7296C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.053{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5788-60F5-4E0A-00000000E501}7820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.041{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5788-60F5-4E0A-00000000E501}7820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:24.041{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5788-60F5-4E0A-00000000E501}7820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028758Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:25.557{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083D468F2F0AC5BF22C650CB2AD62D41,SHA256=43475EB4116DEB72DFEF8AF1A654B1722C7B45EDDC2A94A6D9B13DE5EB597471,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.964{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-620A-00000000E501}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.964{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-620A-00000000E501}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.964{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-620A-00000000E501}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.911{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-610A-00000000E501}4100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.911{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-610A-00000000E501}4100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.896{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-610A-00000000E501}4100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.780{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-600A-00000000E501}6428C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.780{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-600A-00000000E501}6428C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.780{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-600A-00000000E501}6428C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.696{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFBB0B7CEBF57F760407BF0C2D1A1E63,SHA256=BCBE63D295F83FD2FB3661F220EA98DC2F026E4D3C1F51EB56E276946E478E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.696{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B966ECE0932A23234486BD15488ED829,SHA256=0B5F4492E8FE9241BBFE974D4E0A2F6BB9456F359E2C13682FEFD94C63672842,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.665{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-5F0A-00000000E501}7456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.665{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-5F0A-00000000E501}7456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.665{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-5F0A-00000000E501}7456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.624{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-5E0A-00000000E501}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.609{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-5E0A-00000000E501}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.609{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-5E0A-00000000E501}6632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.557{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-5D0A-00000000E501}7232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.546{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-5D0A-00000000E501}7232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.546{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-5D0A-00000000E501}7232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.504{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-5C0A-00000000E501}7680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.492{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-5C0A-00000000E501}7680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.492{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-5C0A-00000000E501}7680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.438{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-5B0A-00000000E501}7512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.427{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-5B0A-00000000E501}7512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.426{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-5B0A-00000000E501}7512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.371{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-5A0A-00000000E501}3988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.358{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-5A0A-00000000E501}3988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.358{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-5A0A-00000000E501}3988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.303{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-590A-00000000E501}7000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.292{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-590A-00000000E501}7000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.292{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-590A-00000000E501}7000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.239{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-580A-00000000E501}7732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.228{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-580A-00000000E501}7732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.228{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-580A-00000000E501}7732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.199{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5789-60F5-570A-00000000E501}7780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.188{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5789-60F5-570A-00000000E501}7780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.187{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5789-60F5-570A-00000000E501}7780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028759Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:26.791{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D8BB12D867F56BFC72399D48B62F8A2,SHA256=EB952E25BD8E6715024AD5ED182950453F5F54824F4CB31400E088CE162A52DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.992{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=046F568E9520F74EDB3E6BB90890C78F,SHA256=9FEA764345D10D7C825941A7530D7CB71BEF1DCBCEE4DDC638F2D8B770B1AC91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.945{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-740A-00000000E501}8184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.929{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-740A-00000000E501}8184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.929{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-740A-00000000E501}8184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.898{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-730A-00000000E501}3860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.895{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-730A-00000000E501}3860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.894{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-730A-00000000E501}3860C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000058947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:26.860{43EB4363-578A-60F5-720A-00000000E501}4904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1328-0\Microsoft.Office.Tools.dll2021-07-19 10:44:26.860 10341000x800000000000000058946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.829{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-720A-00000000E501}4904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.813{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-720A-00000000E501}4904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.813{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-720A-00000000E501}4904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.798{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-710A-00000000E501}5624C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.793{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-710A-00000000E501}5624C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.792{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-710A-00000000E501}5624C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.745{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-700A-00000000E501}7672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.729{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-700A-00000000E501}7672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.729{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-700A-00000000E501}7672C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.661{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-6F0A-00000000E501}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.661{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-6F0A-00000000E501}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.661{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-6F0A-00000000E501}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.614{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A55A4AC24E8671069523026D29D6B573,SHA256=8746FC3AFA77B89C6B39EB2BBAB2D2CEF8D8220FD8F38D4D3AA456DD64A80DB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.598{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-6E0A-00000000E501}4880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.595{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-6E0A-00000000E501}4880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.595{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-6E0A-00000000E501}4880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.561{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-6D0A-00000000E501}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.550{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-6D0A-00000000E501}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.549{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-6D0A-00000000E501}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.505{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-6C0A-00000000E501}8000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.493{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-6C0A-00000000E501}8000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.493{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-6C0A-00000000E501}8000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.453{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-6B0A-00000000E501}7836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.442{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-6B0A-00000000E501}7836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.441{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-6B0A-00000000E501}7836C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.403{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-6A0A-00000000E501}5912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.393{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-6A0A-00000000E501}5912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.392{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-6A0A-00000000E501}5912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.349{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-690A-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.326{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-690A-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.326{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-690A-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000058915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.311{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7156A7B295B4120CC28784003C9E6C,SHA256=EECD19F20F21B2E811870FA05E3F6B05A412250811DAD89956916CBCA31D378E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.311{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0113E4736CB79C04620E3852AAAA76E4,SHA256=956C827FE2900424127551ECFB442BE9FC15CDBD338AAFE27126B9F88BCAEDA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.279{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-680A-00000000E501}8092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.279{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-680A-00000000E501}8092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.279{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-680A-00000000E501}8092C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.226{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-670A-00000000E501}7288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.211{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-670A-00000000E501}7288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.211{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-670A-00000000E501}7288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.180{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-660A-00000000E501}4908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.180{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-660A-00000000E501}4908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.180{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-660A-00000000E501}4908C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.148{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-650A-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.127{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-650A-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.127{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-650A-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.095{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-640A-00000000E501}5008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.064{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-640A-00000000E501}5008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.064{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-640A-00000000E501}5008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.011{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578A-60F5-630A-00000000E501}1304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.995{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-578A-60F5-630A-00000000E501}1304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:25.995{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578A-60F5-630A-00000000E501}1304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.943{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Addin\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.943{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Addin\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.943{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SLK\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.943{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SLK\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.928{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\rqyfile\shell\Edit_Query_in_Notepad\command\(Default)%%SystemRoot%%\System32\notepad.exe "%%1" 13241300x800000000000000059216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.928{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\oqyfile\shell\Edit_Query_in_Notepad\command\(Default)%%SystemRoot%%\System32\notepad.exe "%%1" 13241300x800000000000000059215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.928{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x800000000000000059214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.928{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x800000000000000059213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.928{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Printto\ddeexec\(Default)(Empty) 13241300x800000000000000059212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.928{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x800000000000000059211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.928{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.928{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.928{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x800000000000000059208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.912{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 10341000x800000000000000059207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.912{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}7688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.912{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.912{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.912{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\New\ddeexec\(Default)(Empty) 13241300x800000000000000059203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.912{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x800000000000000059202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.912{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Edit\ddeexec\(Default)(Empty) 13241300x800000000000000059201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.912{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.OpenDocumentSpreadsheet.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 10341000x800000000000000059200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.912{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-578B-60F5-770A-00000000E501}7688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.912{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578B-60F5-770A-00000000E501}7688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.896{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\iqyfile\shell\open\ddeexec\(Default)(Empty) 13241300x800000000000000059197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.896{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\iqyfile\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE "%%1" 13241300x800000000000000059196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.896{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\iqyfile\shell\Edit_Query_in_Notepad\command\(Default)%%SystemRoot%%\System32\notepad.exe "%%1" 13241300x800000000000000059195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.896{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\dqyfile\shell\open\ddeexec\(Default)(Empty) 13241300x800000000000000059194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.896{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\dqyfile\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE "%%1" 13241300x800000000000000059193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.896{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\dqyfile\shell\Edit_Query_in_Notepad\command\(Default)%%SystemRoot%%\System32\notepad.exe "%%1" 13241300x800000000000000059192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.896{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.CSV\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.896{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.CSV\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.895{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.CSV\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.894{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.CSV\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 23542300x800000000000000059188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.875{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=986C7E63640BE2EAE0B77674C70AB383,SHA256=DDBDF604C96D2BE254A6190E8536EAFEF51524E4AC2E0D87F188C008A748853F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.875{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-access\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.875{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\printto\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\printto\ddeexec\ifexec\(Default)[] 13241300x800000000000000059184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\printto\ddeexec\(Default)[PrintTo "%%1","%%2","%%3","%%4"] 13241300x800000000000000059183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\printto\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1","%%2","%%3","%%4"][ShellQuit] 13241300x800000000000000059182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\print\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\print\ddeexec\ifexec\(Default)[] 13241300x800000000000000059180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\print\ddeexec\(Default)[PrintTo "%%1"] 13241300x800000000000000059179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1"][ShellQuit] 13241300x800000000000000059178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\preview\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\preview\ddeexec\ifexec\(Default)[] 13241300x800000000000000059176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\preview\ddeexec\(Default)[SetForeground][OpenTable "%%1", 2] 13241300x800000000000000059175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\preview\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenTable "%%1", 2] 13241300x800000000000000059174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\open\ddeexec\(Default)[SetForeground][OpenTable "%%1"] 13241300x800000000000000059171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenTable "%%1"] 13241300x800000000000000059170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x800000000000000059168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\design\ddeexec\(Default)[SetForeground][OpenTable "%%1", 1] 13241300x800000000000000059167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.859{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Table.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenTable "%%1", 1] 13241300x800000000000000059166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.844{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.844{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.844{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\open\ddeexec\(Default)[SetForeground][OpenStoredProcedure "%%1"] 13241300x800000000000000059163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.844{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenStoredProcedure "%%1"] 13241300x800000000000000059162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.844{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.844{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x800000000000000059160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.844{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\design\ddeexec\(Default)[SetForeground][OpenStoredProcedure "%%1", 1] 13241300x800000000000000059159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.844{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.StoredProcedure.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenStoredProcedure "%%1", 1] 13241300x800000000000000059158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.844{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\printto\ddeexec\topic\(Default)ShellSystem 10341000x800000000000000059157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.844{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.844{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.844{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.844{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\printto\ddeexec\ifexec\(Default)[] 10341000x800000000000000059153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.844{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.844{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\printto\ddeexec\(Default)[PrintTo "%%1","%%2","%%3","%%4"] 13241300x800000000000000059150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\printto\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1","%%2","%%3","%%4"][ShellQuit] 13241300x800000000000000059149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\print\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\print\ddeexec\ifexec\(Default)[] 13241300x800000000000000059147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\print\ddeexec\(Default)[PrintTo "%%1"] 13241300x800000000000000059146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1"][ShellQuit] 13241300x800000000000000059145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\preview\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\preview\ddeexec\ifexec\(Default)[] 13241300x800000000000000059143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\preview\ddeexec\(Default)[SetForeground][OpenReport "%%1", 2] 13241300x800000000000000059142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\preview\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenReport "%%1", 2] 13241300x800000000000000059141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\open\ddeexec\(Default)[SetForeground][OpenReport "%%1", 2] 13241300x800000000000000059138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenReport "%%1", 2] 13241300x800000000000000059137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x800000000000000059135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\design\ddeexec\(Default)[SetForeground][OpenReport "%%1", 1] 13241300x800000000000000059134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenReport "%%1", 1] 13241300x800000000000000059133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\browse\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.828{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\browse\ddeexec\ifexec\(Default)[] 11241100x800000000000000059131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:27.828{43EB4363-578B-60F5-760A-00000000E501}4536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\11b8-0\Microsoft.Office.Tools.Common.Implementation.dll2021-07-19 10:44:27.828 13241300x800000000000000059130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.812{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\browse\ddeexec\(Default)[SetForeground][OpenReport "%%1", 5] 13241300x800000000000000059129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.812{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Report.1\shell\browse\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenReport "%%1", 5] 13241300x800000000000000059128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.812{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Module.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.812{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Module.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.812{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Module.1\shell\open\ddeexec\(Default)[SetForeground][OpenModule "%%1"] 13241300x800000000000000059125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.812{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Module.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenModule "%%1"] 13241300x800000000000000059124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Diagram.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Diagram.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Diagram.1\shell\open\ddeexec\(Default)[SetForeground][OpenDiagram "%%1"] 13241300x800000000000000059121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Diagram.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenDiagram "%%1"] 13241300x800000000000000059120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\open\ddeexec\(Default)[SetForeground][OpenDataAccessPage "%%1"] 13241300x800000000000000059117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenDataAccessPage "%%1"] 13241300x800000000000000059116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x800000000000000059114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\design\ddeexec\(Default)[SetForeground][OpenDataAccessPage "%%1", 1] 13241300x800000000000000059113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.797{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.DataAccessPage.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenDataAccessPage "%%1", 1] 13241300x800000000000000059112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.789{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.UriLink.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.779{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.778{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.778{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\open\ddeexec\(Default)[SetForeground][ShellOpenMacro "%%1"] 13241300x800000000000000059108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.777{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [ShellOpenMacro "%%1"] 13241300x800000000000000059107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.775{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.775{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x800000000000000059105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.774{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\design\ddeexec\(Default)[SetForeground][ShellOpenMacro "%%1", 1] 13241300x800000000000000059104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.773{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Macro.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [ShellOpenMacro "%%1", 1] 13241300x800000000000000059103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.764{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.763{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.763{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\open\ddeexec\(Default)[SetForeground][OpenView "%%1"] 13241300x800000000000000059100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.762{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenView "%%1"] 13241300x800000000000000059099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.761{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.760{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x800000000000000059097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.760{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\design\ddeexec\(Default)[SetForeground][OpenView "%%1", 1] 13241300x800000000000000059096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.759{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.View.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenView "%%1", 1] 13241300x800000000000000059095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.750{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\printto\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.749{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\printto\ddeexec\ifexec\(Default)[] 13241300x800000000000000059093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.749{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\printto\ddeexec\(Default)[PrintTo "%%1","%%2","%%3","%%4"] 13241300x800000000000000059092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.748{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\printto\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1","%%2","%%3","%%4"][ShellQuit] 13241300x800000000000000059091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.747{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\print\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.746{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\print\ddeexec\ifexec\(Default)[] 13241300x800000000000000059089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.745{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\print\ddeexec\(Default)[PrintTo "%%1"] 13241300x800000000000000059088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.745{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1"][ShellQuit] 13241300x800000000000000059087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.744{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\preview\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.743{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\preview\ddeexec\ifexec\(Default)[] 13241300x800000000000000059085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.743{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\preview\ddeexec\(Default)[SetForeground][OpenForm "%%1", 2] 13241300x800000000000000059084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.742{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\preview\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenForm "%%1", 2] 13241300x800000000000000059083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.741{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.741{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.740{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\open\ddeexec\(Default)[SetForeground][OpenForm "%%1"] 13241300x800000000000000059080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.740{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenForm "%%1"] 13241300x800000000000000059079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.739{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.738{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x800000000000000059077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.738{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\design\ddeexec\(Default)[SetForeground][OpenForm "%%1", 1] 13241300x800000000000000059076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.737{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenForm "%%1", 1] 13241300x800000000000000059075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.736{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\datasheet\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.736{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\datasheet\ddeexec\ifexec\(Default)[] 13241300x800000000000000059073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.735{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\datasheet\ddeexec\(Default)[SetForeground][OpenForm "%%1", 3] 13241300x800000000000000059072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.734{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Form.1\shell\datasheet\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /SHELLSYSTEM [OpenForm "%%1", 3] 13241300x800000000000000059071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.724{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\printto\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.723{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\printto\ddeexec\ifexec\(Default)[] 13241300x800000000000000059069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.722{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\printto\ddeexec\(Default)[PrintTo "%%1","%%2","%%3","%%4"] 13241300x800000000000000059068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.721{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\printto\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1","%%2","%%3","%%4"][ShellQuit] 13241300x800000000000000059067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.720{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\print\ddeexec\topic\(Default)ShellSystem 23542300x800000000000000059066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.720{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=193FEAE7F20101672FFB6D93AC964D16,SHA256=6DFC03021EEFEC70C11DA6EF8E7269E671E8677ED8A7F55496ABC01260279F46,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.719{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\print\ddeexec\ifexec\(Default)[] 13241300x800000000000000059064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.719{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\print\ddeexec\(Default)[PrintTo "%%1"] 13241300x800000000000000059063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.718{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [PrintTo "%%1"][ShellQuit] 13241300x800000000000000059062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.717{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\preview\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.717{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\preview\ddeexec\ifexec\(Default)[] 13241300x800000000000000059060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.716{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\preview\ddeexec\(Default)[SetForeground][OpenQuery "%%1", 2] 13241300x800000000000000059059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.716{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\preview\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenQuery "%%1", 2] 13241300x800000000000000059058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.714{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.714{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.713{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\open\ddeexec\(Default)[SetForeground][OpenQuery "%%1"] 13241300x800000000000000059055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.713{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP /SHELLSYSTEM [OpenQuery "%%1"] 13241300x800000000000000059054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.712{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.711{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x800000000000000059052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.711{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\design\ddeexec\(Default)[SetForeground][OpenQuery "%%1", 1] 13241300x800000000000000059051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.710{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ShortCut.Query.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /SHELLSYSTEM [OpenQuery "%%1", 1] 13241300x800000000000000059050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.704{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\accessthmltemplate\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" 13241300x800000000000000059049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.699{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Workgroup.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" 13241300x800000000000000059048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.695{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WizardDataFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" 13241300x800000000000000059047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.691{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.BlankDatabaseTemplate.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /NEWDB "%%1" 13241300x800000000000000059046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.686{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDEFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x800000000000000059045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.681{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\accesshtmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" 13241300x800000000000000059044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.677{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\openAsReadOnly\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.677{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\openAsReadOnly\ddeexec\ifexec\(Default)[] 13241300x800000000000000059042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.676{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\openAsReadOnly\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1",0,1] 13241300x800000000000000059041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.675{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.674{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.674{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x800000000000000059038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.673{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x800000000000000059037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.671{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\New\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.671{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\New\ddeexec\ifexec\(Default)[] 13241300x800000000000000059035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.670{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\New\ddeexec\(Default)[SetForeground][ShellNewDatabase "%%1"] 13241300x800000000000000059034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.669{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.MDBFile\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /n "%%1" 13241300x800000000000000059033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.664{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Extension.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP "%%1" 13241300x800000000000000059032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.659{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.658{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.657{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\open\ddeexec\(Default)[SetForeground][OpenFunction "%%1"] 13241300x800000000000000059029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.657{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /SHELLSYSTEM [OpenFunction "%%1"] 13241300x800000000000000059028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.655{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\design\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.655{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\design\ddeexec\ifexec\(Default)[] 13241300x800000000000000059026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.654{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\design\ddeexec\(Default)[SetForeground][OpenFunction "%%1", 1] 13241300x800000000000000059025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.653{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Shortcut.Function.1\shell\design\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /SHELLSYSTEM [OpenFunction "%%1", 1] 13241300x800000000000000059024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.643{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Project.16\shell\Open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.642{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Project.16\shell\Open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.642{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Project.16\shell\Open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x800000000000000059021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.641{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Project.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x800000000000000059020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.636{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.BlankProjectTemplate.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /NEWDB "%%1" 13241300x800000000000000059019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.632{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ADEFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x800000000000000059018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.625{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WebApplicationReference.16\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.625{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WebApplicationReference.16\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.624{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WebApplicationReference.16\shell\open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x800000000000000059015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.624{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WebApplicationReference.16\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x800000000000000059014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.619{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.WizardUserDataFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" 13241300x800000000000000059013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.615{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDTFile.16\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.615{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDTFile.16\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.614{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDTFile.16\shell\open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x800000000000000059010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.614{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDTFile.16\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" 13241300x800000000000000059009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.609{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDRFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /RUNTIME "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x800000000000000059008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.605{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDEFile.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x800000000000000059007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.600{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDCFile.16\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.599{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDCFile.16\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000059005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.599{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDCFile.16\shell\open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x800000000000000059004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.598{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDCFile.16\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" 13241300x800000000000000059003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.593{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\openAsReadOnly\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000059002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.593{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\openAsReadOnly\ddeexec\ifexec\(Default)[] 13241300x800000000000000059001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.592{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\openAsReadOnly\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1",0,1] 13241300x800000000000000059000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.591{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\openAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /RO "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x800000000000000058999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.575{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\open\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000058998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.575{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\open\ddeexec\ifexec\(Default)[] 13241300x800000000000000058997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.575{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\open\ddeexec\(Default)[SetForeground][ShellOpenDatabase "%%1"] 13241300x800000000000000058996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.575{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP "%%1" %%2 %%3 %%4 %%5 %%6 %%7 %%8 %%9 13241300x800000000000000058995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.575{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\New\ddeexec\topic\(Default)ShellSystem 13241300x800000000000000058994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.575{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\New\ddeexec\ifexec\(Default)[] 13241300x800000000000000058993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.575{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\New\ddeexec\(Default)[SetForeground][ShellNewDatabase "%%1"] 13241300x800000000000000058992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.575{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.Application.16\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE" /NOSTARTUP /n "%%1" 13241300x800000000000000058991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.575{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Access.ACCDAExtension.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE /NOSTARTUP "%%1" 13241300x800000000000000058990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.559{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\Topic\(Default)WWW_OpenURL 13241300x800000000000000058989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.559{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\(Default)"file:%%1",,-1,,,,, 13241300x800000000000000058988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.559{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\VisioViewer.Viewer\shell\open\command\(Default)"C:\Program Files\Microsoft Office\root\Client\appvlp.exe" "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome 10341000x800000000000000058987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.528{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000058986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.492{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\ddeexec\topic\(Default)(Empty) 13241300x800000000000000058985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.492{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000058984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.492{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "%%1" 13241300x800000000000000058983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.492{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\edit\command\(Default)"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "%%1" 13241300x800000000000000058982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.475{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\ddeexec\topic\(Default)(Empty) 13241300x800000000000000058981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.459{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000058980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.459{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "%%1" 13241300x800000000000000058979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.459{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\xmlfile\shell\edit\command\(Default)"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb edit "%%1" 11241100x800000000000000058978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.413{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Word.lnk2021-07-19 10:44:27.413 11241100x800000000000000058977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.413{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype for Business.lnk2021-07-19 10:44:27.397 11241100x800000000000000058976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.397{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Publisher.lnk2021-07-19 10:44:27.397 11241100x800000000000000058975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.397{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\PowerPoint.lnk2021-07-19 10:44:27.397 11241100x800000000000000058974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.397{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Outlook.lnk2021-07-19 10:44:27.397 11241100x800000000000000058973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.375{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneNote.lnk2021-07-19 10:44:27.375 11241100x800000000000000058972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.375{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Telemetry Log for Office.lnk2021-07-19 10:44:27.375 11241100x800000000000000058971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.375{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Telemetry Dashboard for Office.lnk2021-07-19 10:44:27.375 11241100x800000000000000058970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.375{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Spreadsheet Compare.lnk2021-07-19 10:44:27.375 11241100x800000000000000058969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.375{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Skype for Business Recording Manager.lnk2021-07-19 10:44:27.375 11241100x800000000000000058968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.360{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Upload Center.lnk2021-07-19 10:44:27.360 11241100x800000000000000058967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.360{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Office Language Preferences.lnk2021-07-19 10:44:27.360 11241100x800000000000000058966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.360{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\Database Compare.lnk2021-07-19 10:44:27.360 11241100x800000000000000058965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.360{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools2021-07-19 10:44:27.360 11241100x800000000000000058964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.360{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Excel.lnk2021-07-19 10:44:27.360 11241100x800000000000000058963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:44:27.344{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Access.lnk2021-07-19 10:44:27.344 23542300x800000000000000058962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.313{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1578E274C5E5AD352E67E7AA13E4C8FB,SHA256=452861579AD0EC96C6C9C8C4630813A5FB9717D6BC174552C899EB3A2363E6D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.297{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578B-60F5-760A-00000000E501}4536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.275{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-578B-60F5-760A-00000000E501}4536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.275{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578B-60F5-760A-00000000E501}4536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.228{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578B-60F5-750A-00000000E501}8100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000058957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.213{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-578B-60F5-750A-00000000E501}8100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000058956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.213{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578B-60F5-750A-00000000E501}8100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000058955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:27.175{43EB4363-578A-60F5-740A-00000000E501}8184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ff8-0\Microsoft.Office.Tools.Common.dll2021-07-19 10:44:27.175 13241300x800000000000000059587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.758{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Package\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x800000000000000059586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.758{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Section.1\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /print "%%1" 13241300x800000000000000059585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.758{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Section.1\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x800000000000000059584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.758{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Section.1\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x800000000000000059583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.758{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Section.1\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /new "%%1" 13241300x800000000000000059582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.758{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Section.1\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 23542300x800000000000000028760Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:28.027{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0DC44C4299C0A31FED6CF5EBF3721C,SHA256=B3E3F6C6A04727E0F4286CB23D822F6F4D839FD0ABA90E61FB98F3513AC5E091,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.727{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.UriLink.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.711{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-word\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.711{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Wizard.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x800000000000000059578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.711{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x800000000000000059577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.711{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.711{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x800000000000000059575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.696{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x800000000000000059574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.696{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.696{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x800000000000000059572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.696{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Backup.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x800000000000000059571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.696{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x800000000000000059570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.696{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.696{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x800000000000000059568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.696{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x800000000000000059567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.696{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.695{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x800000000000000059565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.694{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.RTF.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x800000000000000059564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.674{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x800000000000000059563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.674{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.674{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x800000000000000059561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.674{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x800000000000000059560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.674{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" 13241300x800000000000000059559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.674{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.674{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x800000000000000059557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.674{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.OpenDocumentText.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x800000000000000059556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.658{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x800000000000000059555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.658{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.658{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x800000000000000059553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.658{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x800000000000000059552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.658{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x800000000000000059551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.658{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.658{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x800000000000000059549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.658{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 10341000x800000000000000059548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:28.643{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578C-60F5-7A0A-00000000E501}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.643{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x800000000000000059546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.643{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.643{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x800000000000000059544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.643{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x800000000000000059543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.643{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x800000000000000059542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.643{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.643{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x800000000000000059540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.627{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.TemplateMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 10341000x800000000000000059539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:28.627{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-578C-60F5-7A0A-00000000E501}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:28.627{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578C-60F5-7A0A-00000000E501}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.627{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\wordhtmltemplate\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" 13241300x800000000000000059536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.627{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x800000000000000059535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.627{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.627{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x800000000000000059533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.627{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x800000000000000059532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.627{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.611{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x800000000000000059530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.611{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Template.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x800000000000000059529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.611{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\wordxmlfile\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" 13241300x800000000000000059528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.611{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x800000000000000059527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.611{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.596{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x800000000000000059525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.596{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x800000000000000059524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.596{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x800000000000000059523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.596{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.596{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x800000000000000059521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.596{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 10341000x800000000000000059520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:28.596{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578C-60F5-790A-00000000E501}900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.596{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x800000000000000059518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.595{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.594{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x800000000000000059516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.592{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x800000000000000059515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.591{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x800000000000000059514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.574{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.574{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 10341000x800000000000000059512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:28.574{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:28.574{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.574{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.DocumentMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x800000000000000059509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.574{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\wordhtmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" 13241300x800000000000000059508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.574{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vp "%%1" 13241300x800000000000000059507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.558{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.558{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /i "%%1" 13241300x800000000000000059505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.558{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /h /n "%%1" 13241300x800000000000000059504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.558{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "%%1" /o "%%u" 13241300x800000000000000059503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.558{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\OnenotePrintto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /j "%%1" "%%2" 13241300x800000000000000059502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.558{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "%%1" 13241300x800000000000000059501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.558{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Word.Document.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /vu "%%1" 13241300x800000000000000059500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.543{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\webcals\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.543{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\webcal\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.543{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\stssync\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 23542300x800000000000000059497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:28.527{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5BAC04D41F9420AC3F8C208032A82F3,SHA256=6BFCA7D06F9E69A023EE0AED94A907C6D59F46D61FAF6530859C51E415B8D6A3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.527{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.stssync.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.527{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.webcal.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.512{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.feed.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.496{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\oms\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Client\AppVLp.exe" rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\OMSMAIN.DLL, OmsProtocolHandler %%1 13241300x800000000000000059492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.496{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\feeds\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.495{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\feed\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.489{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.mailto.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -c IPM.Note /mailto "%%1" 13241300x800000000000000059489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.478{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\AtWorkRendering\shell\PrintTo\command\(Default)0 13241300x800000000000000059488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.477{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.vcs.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /vcal "%%1" 13241300x800000000000000059487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.471{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.vcf.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /v "%%1" 13241300x800000000000000059486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.466{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.pst.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /pst "%%1" 13241300x800000000000000059485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.455{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.oft.15\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /p "%%1" 13241300x800000000000000059484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.454{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.oft.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /t "%%1" 13241300x800000000000000059483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.453{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.oft.15\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /t "%%1" 13241300x800000000000000059482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.443{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.msg.15\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /p "%%1" 13241300x800000000000000059481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.442{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.msg.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "%%1" 13241300x800000000000000059480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.436{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.ics.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /ical "%%1" 13241300x800000000000000059479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.431{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.hol.15\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /hol "%%1" 13241300x800000000000000059478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.424{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.File.eml.15\shell\Open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE /eml "%%1" 13241300x800000000000000059477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.419{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.UriLink.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.413{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-publisher\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.407{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\PrintTo\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" /p %%1 *%%2, %%3, %%4 13241300x800000000000000059474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.406{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" /p %%1 13241300x800000000000000059473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.405{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" /r "%%1" 13241300x800000000000000059472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.404{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" /ou "%%u" "%%1" 13241300x800000000000000059471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.403{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" /n %%1 13241300x800000000000000059470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.401{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Publisher.Document.16\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" %%1 13241300x800000000000000059469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.396{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OfficeListShortcut\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE" %%1 13241300x800000000000000059468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.387{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.386{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\Show\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /s "%%1" 13241300x800000000000000059466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.385{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\Print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /p "%%1" 13241300x800000000000000059465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.384{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x800000000000000059464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.382{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\Open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE "%%1" /ou "%%u" 13241300x800000000000000059463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.381{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\New\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /n "%%1" 13241300x800000000000000059462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.380{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 11241100x800000000000000059461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:28.377{43EB4363-578B-60F5-780A-00000000E501}7820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1e8c-0\Microsoft.Office.Tools.Excel.dll2021-07-19 10:44:28.377 13241300x800000000000000059460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.376{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.UriLink.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.365{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OrgPlusWOPX.4\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ORGCHART.EXE" %%1 13241300x800000000000000059458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.360{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-powerpoint\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.356{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OfficeTheme.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x800000000000000059456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.354{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OfficeTheme.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.353{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OfficeTheme.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x800000000000000059454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.352{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OfficeTheme.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.345{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.344{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\Show\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /s "%%1" 13241300x800000000000000059451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.342{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\Print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /p "%%1" 13241300x800000000000000059450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.340{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x800000000000000059449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.338{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\Open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE "%%1" /ou "%%u" 13241300x800000000000000059448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.337{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\New\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /n "%%1" 13241300x800000000000000059447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.336{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Slide.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x800000000000000059446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.329{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.328{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\Show\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /s "%%1" 13241300x800000000000000059444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.327{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\Print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /p "%%1" 13241300x800000000000000059443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.326{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x800000000000000059442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.325{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\Open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE "%%1" /ou "%%u" 13241300x800000000000000059441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.324{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\New\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /n "%%1" 13241300x800000000000000059440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.322{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x800000000000000059439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.317{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Wizard.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x800000000000000059438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.313{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\powerpointxmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" 13241300x800000000000000059437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.308{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.307{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x800000000000000059435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.306{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\PrintTo\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /pt "%%2" "%%3" "%%4" "%%1" 13241300x800000000000000059434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.305{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.303{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x800000000000000059432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.302{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x800000000000000059431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.301{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.300{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x800000000000000059429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.291{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.290{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x800000000000000059427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.274{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\PrintTo\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /pt "%%2" "%%3" "%%4" "%%1" 13241300x800000000000000059426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.274{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.274{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x800000000000000059424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.274{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x800000000000000059423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.274{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.274{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.ShowMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x800000000000000059421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.274{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\powerpointhtmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" 13241300x800000000000000059420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.259{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.259{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x800000000000000059418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.259{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\PrintTo\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /pt "%%2" "%%3" "%%4" "%%1" 13241300x800000000000000059417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.259{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.259{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x800000000000000059415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.259{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x800000000000000059414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.259{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.259{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Show.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x800000000000000059412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.259{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.243{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.243{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" /ou "%%u" 13241300x800000000000000059409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.243{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.243{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x800000000000000059407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.243{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShowMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.243{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShowMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.243{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShowMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" /ou "%%u" 13241300x800000000000000059404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.243{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShowMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.227{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShowMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 23542300x800000000000000059402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:28.227{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF188E3D705F8AEC43DCF0CA9BEA0967,SHA256=752A96CFDB6A950721884BE73F3A54334C978745956F29D0542285EF294AF646,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.227{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.227{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.227{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" /ou "%%u" 13241300x800000000000000059398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.227{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.227{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.SlideShow.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x800000000000000059396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.227{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Addin.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x800000000000000059395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.212{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Addin.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" 13241300x800000000000000059394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.212{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.212{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x800000000000000059392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.212{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.212{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x800000000000000059390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.212{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.212{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 354300x800000000000000059388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:26.117{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65103-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x800000000000000059387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.196{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.196{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x800000000000000059385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.196{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.196{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x800000000000000059383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.196{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.196{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.TemplateMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x800000000000000059381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.196{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\powerpointhtmltemplate\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" 13241300x800000000000000059380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.195{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.194{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x800000000000000059378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.193{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.192{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x800000000000000059376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.191{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.190{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.Template.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x800000000000000059374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.174{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vp "%%1" 13241300x800000000000000059373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.174{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\Show\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "%%1" 13241300x800000000000000059372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.174{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /p "%%1" 13241300x800000000000000059371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.174{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\OpenAsReadOnly\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE /h "%%1" 13241300x800000000000000059370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.174{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "%%1" /ou "%%u" 13241300x800000000000000059369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.174{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "%%1" 13241300x800000000000000059368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.174{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\PowerPoint.OpenDocumentPresentation.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /vu "%%1" 13241300x800000000000000059367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.159{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-excel\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.159{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.UriLink.16\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.143{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ODCfile\shell\EditText\command\(Default)%%SystemRoot%%\System32\notepad.exe "%%1" 13241300x800000000000000059364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.143{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ODCfile\shell\Edit\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE /y 13241300x800000000000000059363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.143{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ODCfile\shell\Analyze\ddeexec\(Default)(Empty) 13241300x800000000000000059362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.143{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ODCfile\shell\Analyze\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE "%%1" 13241300x800000000000000059361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.143{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.143{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart\shell\Print\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE /q "%%1" 13241300x800000000000000059359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.143{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.143{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart\shell\Open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE "%%1" 13241300x800000000000000059357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\New\ddeexec\(Default)(Empty) 13241300x800000000000000059352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Chart.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x800000000000000059351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.WebQuery\shell\edit\ddeexec\topic\(Default)system 13241300x800000000000000059350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.WebQuery\shell\edit\ddeexec\(Default)[new()][newwebquery?("%%1")] 13241300x800000000000000059349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.WebQuery\shell\edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /w "%%1" 13241300x800000000000000059348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Workspace\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.127{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Workspace\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Workspace\shell\New\ddeexec\(Default)(Empty) 13241300x800000000000000059345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Workspace\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x800000000000000059344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x800000000000000059343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x800000000000000059342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Printto\ddeexec\(Default)(Empty) 13241300x800000000000000059341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x800000000000000059340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x800000000000000059337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x800000000000000059336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\New\ddeexec\(Default)(Empty) 13241300x800000000000000059333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.112{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x800000000000000059332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.096{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x800000000000000059331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.096{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x800000000000000059330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.096{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x800000000000000059329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.096{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Printto\ddeexec\(Default)(Empty) 13241300x800000000000000059328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.096{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x800000000000000059327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.096{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.096{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.096{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x800000000000000059324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.096{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x800000000000000059323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.095{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.094{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.093{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\New\ddeexec\(Default)(Empty) 13241300x800000000000000059320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.092{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x800000000000000059319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.091{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Edit\ddeexec\(Default)(Empty) 13241300x800000000000000059318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.074{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.TemplateMacroEnabled\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x800000000000000059317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.074{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excelhtmltemplate\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" 13241300x800000000000000059316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.074{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x800000000000000059315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.074{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x800000000000000059314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.074{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Printto\ddeexec\(Default)(Empty) 13241300x800000000000000059313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.074{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x800000000000000059312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.074{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.074{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.074{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x800000000000000059309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x800000000000000059308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\New\ddeexec\(Default)(Empty) 13241300x800000000000000059305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x800000000000000059304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Edit\ddeexec\(Default)(Empty) 13241300x800000000000000059303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Template.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x800000000000000059302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x800000000000000059301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x800000000000000059300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Printto\ddeexec\(Default)(Empty) 13241300x800000000000000059299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x800000000000000059298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.059{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.043{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x800000000000000059295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.043{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x800000000000000059294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.043{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.043{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.043{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\New\ddeexec\(Default)(Empty) 13241300x800000000000000059291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.043{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x800000000000000059290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.043{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Edit\ddeexec\(Default)(Empty) 13241300x800000000000000059289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.043{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x800000000000000059288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.043{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x800000000000000059287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x800000000000000059286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Printto\ddeexec\(Default)(Empty) 13241300x800000000000000059285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x800000000000000059284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x800000000000000059281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x800000000000000059280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\New\ddeexec\(Default)(Empty) 13241300x800000000000000059277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x800000000000000059276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Edit\ddeexec\(Default)(Empty) 13241300x800000000000000059275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x800000000000000059274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.028{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excelhtmlfile\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" 13241300x800000000000000059273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x800000000000000059272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x800000000000000059271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Printto\ddeexec\(Default)(Empty) 13241300x800000000000000059270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x800000000000000059269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x800000000000000059266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x800000000000000059265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\New\ddeexec\(Default)(Empty) 13241300x800000000000000059262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x800000000000000059261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Edit\ddeexec\(Default)(Empty) 13241300x800000000000000059260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.012{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.SheetBinaryMacroEnabled.12\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x800000000000000059259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x800000000000000059258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x800000000000000059257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Printto\ddeexec\(Default)(Empty) 13241300x800000000000000059256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Printto\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" /j "%%2" 13241300x800000000000000059255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\OpenAsReadOnly\ddeexec\(Default)(Empty) 13241300x800000000000000059252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /h "%%1" 13241300x800000000000000059251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\New\ddeexec\(Default)(Empty) 13241300x800000000000000059248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "%%1" 13241300x800000000000000059247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Edit\ddeexec\(Default)(Empty) 13241300x800000000000000059246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.996{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Sheet.8\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 23542300x800000000000000059245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.992{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594C84876434C882AED4AEE4EB287F8D,SHA256=BDC4C8E015EEBCC34303012865EA97D260CCC18DFB9BCF125D9704AE4C82B5E4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\ViewProtected\ddeexec\(Default)(Empty) 13241300x800000000000000059243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x800000000000000059242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\New\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" 13241300x800000000000000059237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Edit\ddeexec\(Default)(Empty) 13241300x800000000000000059236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Macrosheet\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 13241300x800000000000000059235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.XLL\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.975{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.XLL\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 10341000x800000000000000059233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.959{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578B-60F5-780A-00000000E501}7820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.959{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\ViewProtected\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vp "%%1" 13241300x800000000000000059231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.959{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Print\ddeexec\(Default)(Empty) 13241300x800000000000000059230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.959{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Print\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /q "%%1" 13241300x800000000000000059229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.959{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.959{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.959{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Edit\ddeexec\(Default)(Empty) 13241300x800000000000000059226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.959{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.Backup\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /vu "%%1" 10341000x800000000000000059225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.959{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-578B-60F5-780A-00000000E501}7820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:27.959{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578B-60F5-780A-00000000E501}7820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:27.959{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.AddInMacroEnabled\shell\Open\ddeexec\(Default)(Empty) 13241300x800000000000000059222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:27.959{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Excel.AddInMacroEnabled\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "%%1" 13241300x800000000000000059738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.540{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.534{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{FB453AD8-2EF4-44D3-98A8-8C6474E63CE4}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.528{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{F14E8B03-D080-4D3A-AEBA-355E77B20F3D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.519{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{EAE50EB0-4A62-11CE-BED6-00AA00611080}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.513{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{EA778DB4-CE69-4da5-BC1D-34E2168D5EED}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 11241100x800000000000000059733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:29.510{43EB4363-578C-60F5-7A0A-00000000E501}6928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1b10-0\Microsoft.Office.Tools.Excel.Implementation.dll2021-07-19 10:44:29.510 13241300x800000000000000059732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.506{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{E9729012-8271-4e1f-BC56-CF85F914915A}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.499{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{DFD181E0-5E2F-11CE-A449-00AA004A803D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.493{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{DD4CB8C5-F540-47ff-84D7-67390D2743CA}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.487{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{DCA0ED3C-B95D-490f-9C60-0FF3726C789A}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.470{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{D7053240-CE69-11CD-A777-00DD01143C57}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.463{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.446{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{9BDAC276-BE24-4F04-BB22-11469B28A496}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.437{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{978C9E23-D4B0-11CE-BF2D-00AA003F40D0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.430{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{9432194C-DF54-4824-8E24-B013BF2B90E3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.422{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D60-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.414{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.404{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D40-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.395{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D30-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.384{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D20-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.374{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{8BD21D10-EC42-11CE-9E0D-00AA006002F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.363{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{86F56B7F-A81B-478d-B231-50FD37CBE761}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.353{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{7931F65C-2564-4C19-AE71-E7DDFA008F6A}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.340{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{79176FB0-B7F2-11CE-97EF-00AA006D2776}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.333{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{787A2D6B-EF66-488D-A303-513C9C75C344}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.323{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{6E182020-F460-11CE-9BCD-00AA00608E01}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.312{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{6C1B3099-127A-4BE1-93BC-DD4771EEEF90}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.302{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{6C177EBD-C42D-4728-A04B-4131892EDBF6}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 23542300x800000000000000059710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:29.298{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33221D462A396252BEFEF9861D3C6E27,SHA256=C5305D474E6B47B333D5D61293DA1FE4256E6BBE1301E4B2EDF7070D1A453538,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.286{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{6240EF28-7EAB-4dc7-A5E3-7CFB35EFB34D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.279{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5E90CC8B-E402-4350-82D7-996E92010608}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.272{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5CBA34AE-E344-40CF-B61D-FBA4D0D1FF54}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.264{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D124-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.255{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D122-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.245{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D11E-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.235{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D11C-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.226{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D11A-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.217{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D118-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.208{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D116-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.200{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D114-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.190{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D112-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.181{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5512D110-5CC6-11CF-8D67-00AA00BDCE1D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.171{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{5052A832-2C0F-46c7-B67C-1F1FEC37B280}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 23542300x800000000000000059695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:29.161{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A024A1B5F38DECA6C231BBB15912C385,SHA256=05AC2A0C4F1803039C50AB61DA9F3C80562A09F44D22D6858801F3BAA498BB1A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.160{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{4C599241-6926-101B-9992-00000B65C6F9}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.151{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{4795051A-6429-4D63-BCA0-D706532954AC}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.141{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{46E31370-3F7A-11CE-BED6-00AA00611080}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.131{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{3D0FD779-0C2D-4708-A9BA-62F7458A5A53}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.121{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{227B1F3B-C276-4DE0-9FAA-C0AD42ADDCF0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.108{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{19FED08E-EFD1-45da-B524-7BE4774A6AEE}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.098{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{13D557B6-A469-4362-BEAF-52BFD0F180E2}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 23542300x800000000000000028761Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:29.087{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A6D76249AF509BB097AEB64110403A,SHA256=54322C94898E8B88F51C56268F79B32F347D086A1219410D124995C69FE74ABB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.088{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{04082FC6-E032-49F2-A263-FE64E9DA1FA3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:29.075{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{02AF6DD2-77E6-44DF-B3E1-57CF1476D8EA}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\VFS\System\FM20.DLL 13241300x800000000000000059685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.944{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\tel\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.943{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\skypecast15\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.943{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\sips\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.942{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\sip\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.942{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ma-filelink\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.941{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ma-chan\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.941{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Lync15classic\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.940{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Lync15\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.939{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\im\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.939{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\conf\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.938{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\callto\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.938{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNoteDesktop.URL.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x800000000000000059673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.937{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNoteDesktop\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x800000000000000059672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.937{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.URL.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x800000000000000059671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.936{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x800000000000000059670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.935{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-word\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.934{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\webcals\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.933{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\webcal\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.932{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\stssync\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.932{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.webcal.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.931{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.stssync.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.930{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.mailto.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -c IPM.Note /mailto "%%1" 13241300x800000000000000059663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.929{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Outlook.URL.feed.15\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.929{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\oms\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Client\AppVLp.exe" rundll32.exe C:\Program Files\Microsoft Office\Root\Office16\OMSMAIN.DLL, OmsProtocolHandler %%1 13241300x800000000000000059661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.928{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\mailto\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -c IPM.Note /mailto "%%1" 13241300x800000000000000059660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.925{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\feeds\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.924{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\feed\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /share "%%1" 13241300x800000000000000059658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.922{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-publisher\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.921{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-powerpoint\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.920{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-excel\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.919{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ms-access\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\protocolhandler.exe "%%1" 13241300x800000000000000059654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.918{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Lync.exe\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x800000000000000059653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.918{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Lync.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\Lync.exe 13241300x800000000000000059652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.918{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MsoHtmEd.exe\UseURL1 13241300x800000000000000059651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.918{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OneNote.exe\SaveURL1 13241300x800000000000000059650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.917{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OneNote.exe\UseURL1 13241300x800000000000000059649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.917{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OneNote.exe\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x800000000000000059648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.917{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OneNote.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE 13241300x800000000000000059647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.916{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe\SaveURL1 13241300x800000000000000059646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.916{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe\UseURL1 13241300x800000000000000059645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.916{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x800000000000000059644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.916{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Winword.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE 13241300x800000000000000059643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.915{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\ 13241300x800000000000000059642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.915{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\SKYPESERVER.EXE 13241300x800000000000000059641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.915{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x800000000000000059640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.915{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE 13241300x800000000000000059639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.915{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSPUB.EXE\SaveURL1 13241300x800000000000000059638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.914{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSPUB.EXE\UseURL1 13241300x800000000000000059637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.914{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSPUB.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x800000000000000059636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.914{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSPUB.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSPUB.EXE 13241300x800000000000000059635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.913{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\ 13241300x800000000000000059634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.913{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\SKYPESERVER.EXE 13241300x800000000000000059633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.913{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe\SaveURL1 13241300x800000000000000059632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.913{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe\UseURL1 13241300x800000000000000059631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.913{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x800000000000000059630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.913{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\powerpnt.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE 13241300x800000000000000059629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.912{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\ 13241300x800000000000000059628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.912{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\SKYPESERVER.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\SkypeSrv\SKYPESERVER.EXE 13241300x800000000000000059627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.912{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe\SaveURL1 13241300x800000000000000059626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.911{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe\UseURL1 13241300x800000000000000059625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.911{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x800000000000000059624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.911{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\excel.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE 13241300x800000000000000059623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.911{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSACCESS.EXE\UseURL1 13241300x800000000000000059622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.910{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSACCESS.EXE\PathC:\Program Files\Microsoft Office\Root\Office16\ 13241300x800000000000000059621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.910{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSACCESS.EXE\(Default)C:\Program Files\Microsoft Office\Root\Office16\MSACCESS.EXE 13241300x800000000000000059620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.910{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\sdxhelper.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\SDXHelper.exe 13241300x800000000000000059619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.909{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe\UseURL1 13241300x800000000000000059618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.909{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoxmled.exe\(Default)C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE 13241300x800000000000000059617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.909{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MsoHtmEd.exe\UseURL1 13241300x800000000000000059616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.908{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoasb.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\msoasb.exe 13241300x800000000000000059615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:28.908{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msoadfsb.exe\(Default)C:\Program Files\Microsoft Office\Root\Office16\msoadfsb.exe 23542300x800000000000000059614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:28.894{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAC8282248431A36A921DF2A8CBAA1C,SHA256=3277CCE26CF7A0E31B09FE96A370C4280CE35B41102778896FC9200254611B5A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.893{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\tel\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.874{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\skypecast15\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.874{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\sips\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.874{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\sip\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.874{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Microsoft.Lync.15TelProtocol.1\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.858{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Microsoft.Lync.15Join.1\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.858{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Microsoft.Lync.15ClassicJoin.1\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.858{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ma-chan\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.858{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Lync15classic\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.842{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\ma-filelink\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.842{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\conf\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.827{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\im\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.827{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\callto\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.827{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\Lync15\shell\open\command\(Default)C:\Program Files\Microsoft Office\Root\Office16\lync.exe "%%1" 13241300x800000000000000059599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.811{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNoteDesktop.URL.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x800000000000000059598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.811{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNoteDesktop\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x800000000000000059597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.811{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.URL.16\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x800000000000000059596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.795{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Notebook.1\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x800000000000000059595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.795{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Notebook.1\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x800000000000000059594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.795{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Notebook.1\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x800000000000000059593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.794{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Folder.1\shell\OpenAsReadOnly\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x800000000000000059592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.793{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Folder.1\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x800000000000000059591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.792{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.Folder.1\shell\Edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "%%1" 13241300x800000000000000059590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.774{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /hyperlink "%%1" 13241300x800000000000000059589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.774{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.TableOfContents.12\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /navigate "%%1" 13241300x800000000000000059588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:28.774{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\OneNote.TableOfContents\shell\Open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" /navigate "%%1" 10341000x800000000000000059747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:30.145{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-0E00-00000000E501}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000059746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:30.035{43EB4363-578D-60F5-7C0A-00000000E501}8064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1f80-0\Microsoft.Office.Tools.Outlook.dll2021-07-19 10:44:30.035 10341000x800000000000000059745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:29.955{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578D-60F5-7C0A-00000000E501}8064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:29.944{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-578D-60F5-7C0A-00000000E501}8064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:29.943{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578D-60F5-7C0A-00000000E501}8064C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028763Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:28.986{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028762Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:30.105{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3812257E147F72953EE852644FEA3E5,SHA256=3BE0708C77CCCE1CB76A42C77F329BDF5B60B2929BA4D5B28A2D54CB4A050C83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:29.907{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578D-60F5-7B0A-00000000E501}7992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:29.897{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-578D-60F5-7B0A-00000000E501}7992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:29.896{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000059739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:29.693{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC0CCC67B297BA5BF1FDA2719842CE3,SHA256=36CA5A5BE63DBC2EC50CA2341632AB065FDE573E5C616EEFD61FEC83AF1689D4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:30.844{43EB4363-578E-60F5-7E0A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1e80-0\Microsoft.Office.Tools.Outlook.Implementation.dll2021-07-19 10:44:30.844 10341000x800000000000000059753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:30.669{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578E-60F5-7E0A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:30.656{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-578E-60F5-7E0A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:30.656{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578E-60F5-7E0A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:30.604{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578E-60F5-7D0A-00000000E501}7880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:30.591{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-578E-60F5-7D0A-00000000E501}7880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:30.591{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578E-60F5-7D0A-00000000E501}7880C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028765Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:31.308{53AF6CEB-39BF-60F5-0D00-00000000E601}7803604C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1D00-00000000E601}1172C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028764Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:31.136{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62463F9B20971BA2334772C5B446B4C,SHA256=33C5F0D16C7900C9F8310881AC526EE08AA073D712E1E6E7E9522158F32634BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.339{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6EA316A4C78345A895168172673869,SHA256=5FA2E81794B628979904701CF7F490394A32399400E8973C545E8705E17FC98B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028766Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:32.370{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D941688BE2DA811461E9DF6F553DB131,SHA256=17BFD5906E828AB5F22D83A9B0C113A4C8BF604F7F7BE028C1AE075BB269A3AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.131{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000059757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.131{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000059756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.130{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000059755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.130{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 11241100x800000000000000059768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:31.979{43EB4363-578F-60F5-800A-00000000E501}3504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\db0-0\Microsoft.Office.Tools.v4.0.Framework.dll2021-07-19 10:44:31.979 10341000x800000000000000059767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.941{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578F-60F5-800A-00000000E501}3504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000059766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.939{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=099B8957F9C9CBB86EAF121C7B290132,SHA256=E9F20E760A2989663E59519A3F23B53227D2F542491F49FF32384894918C600B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.930{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-578F-60F5-800A-00000000E501}3504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.929{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578F-60F5-800A-00000000E501}3504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.896{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-578F-60F5-7F0A-00000000E501}7280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.884{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-578F-60F5-7F0A-00000000E501}7280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.884{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-578F-60F5-7F0A-00000000E501}7280C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000059760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:31.181{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028767Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:33.605{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3CBF6A322EBEAE06D6DDE5A236BF84,SHA256=8F302A81B08961BE828C788778069CBCA9F994207596A4150CF3360DF1DA4219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028768Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:34.636{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFD5CBB9D13EEEB5EEB814FDD869F4A,SHA256=E3A19AE6F8DA49B0334980684AF968923725D12979E91FAD7B960345A0E1CE12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:32.209{43EB4363-55C5-60F5-8808-00000000E501}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000014.dbMD5=AF066D34BC0BFFC041E2E1AA9EDB0C88,SHA256=6B974C0CE4B65E687BFFFB53A61ED81D646AAB96B9D8AC17641F8FFC75D7CDE0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:33.277{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{261B8CA9-3BAF-4BD0-B0C2-BF04286785C6}\InprocServer32\(Default)C:\Program Files\Microsoft Office\Root\Office16\OUTLCTL.DLL 23542300x800000000000000059770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:32.840{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0813E57C2285E21B904A4CBA4D2F2A,SHA256=5784FEC796E2DD0F857204C0E83C82969BF578950591047125860D6CFDC13A1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028769Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:35.745{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A67CC87E390D360774E2F64EEAFC1C4,SHA256=DE980FBF6EB7FFDF22DD821EF3697EF8D5C25CD3B75ED71B358092C8A636C3FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:34.040{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5792-60F5-820A-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:34.029{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5792-60F5-820A-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:34.028{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5792-60F5-820A-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:33.988{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5791-60F5-810A-00000000E501}228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:33.976{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5791-60F5-810A-00000000E501}228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:33.975{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}228C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028771Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:36.761{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D412073A2FE225C0B5FB17058437D461,SHA256=9A8B252650D14A2290D8058A70BCB2DBEED2608F89417B7BC716769A982AB3F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028770Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:34.972{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51248-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000059779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:34.516{43EB4363-5792-60F5-820A-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1e10-0\Microsoft.Office.Tools.Word.dll2021-07-19 10:44:34.515 13241300x800000000000000059778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:34.485{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKCR\CLSID\{4D2F086C-6EA3-101B-A18A-00AA00446E07}\InprocServer32\(Default)mapi32.dll 23542300x800000000000000028772Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:37.777{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7103BB2D77F566650296DDAC1E38BEB1,SHA256=BBB14175E171FE3ACF10CEE945E24F1BD4CB544014C694A058341D038C9B2B32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028773Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:38.792{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0507998E2AAD67F5694D9374D7FA0D,SHA256=ECD6E8BB855A6FD7B55B61649C9B7F1154179B55DF0D9CAE8ABEAA14D451F16D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:35.228{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E165EC45F52C2B155C18D497C1819895,SHA256=F90A7CBA062408E01540EDA55254EC17290D1FBBDD17DC5C9EF5BFA43F7C6269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:35.146{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEC3FA5DDD03910DBBE0579F065E275,SHA256=FE18C79867FE173FB4E43D704B862F1A9B672CA646610437CF13F90CFA5B4D0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:37.021{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028774Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:39.808{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F159D39C241F2C2F258139BA2D3F6DAD,SHA256=0E1293AB6278D9634ACA43AFC99FF3850C723C291528F5589337637D87C88294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028775Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:40.870{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB32BEF9468660253FB3F9792FD2024,SHA256=80D475F85628E60F657D8EF4BE851D06DA33D352E024BF64A9F7ADFCA5444B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028777Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:41.933{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8760DAD029D1EEBA73F2A27110825732,SHA256=211B63AF94C4805DC826786AB20FB758E26DD0F50D262FB341F045EA40CFF40D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028776Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:40.128{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x800000000000000060286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.662{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x800000000000000060285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.661{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\Application\(Default)IExplore 13241300x800000000000000060284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.661{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\(Default)"file:%%1",,-1,,,,, 13241300x800000000000000060283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.661{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\Topic\(Default)WWW_OpenURL 13241300x800000000000000060282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:42.661{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\command\(Default)"%%ProgramFiles%%\Internet Explorer\iexplore.exe" -nohome 18141800x800000000000000060281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.659{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 13241300x800000000000000060280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.658{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{F8CF7A98-2C45-4c8d-9151-2D716989DDAB}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x800000000000000060279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.656{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{355822FC-86F1-4BE8-B5F0-A33736789641}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x800000000000000060278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.656{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x800000000000000060277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.656{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{35C5242B-7455-4F9C-962B-369EA43ED6F3}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x800000000000000060276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.655{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{72B66649-3DBF-429F-BD6F-7774A9784B78}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x800000000000000060275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.655{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x800000000000000060274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.655{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x800000000000000060273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.654{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x800000000000000060272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.654{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x800000000000000060271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.654{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{33154C99-BF49-443D-A73C-303A23ABBE97}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x800000000000000060270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.654{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\msoshext.dll 13241300x800000000000000060269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.651{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{355822FC-86F1-4BE8-B5F0-A33736789641}Microsoft Word Thumbnail Handler 13241300x800000000000000060268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.651{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{AFE9E2F0-5BBA-4169-A33B-EE3727AC3482}Microsoft Visio Thumbnail Handler 13241300x800000000000000060267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.651{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{35C5242B-7455-4F9C-962B-369EA43ED6F3}Microsoft PowerPoint Thumbnail Handler 13241300x800000000000000060266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.650{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{72B66649-3DBF-429F-BD6F-7774A9784B78}Microsoft Excel Thumbnail Handler 13241300x800000000000000060265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.650{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}Microsoft Access Thumbnail Handler 13241300x800000000000000060264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.648{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155}Microsoft Word Metadata Handler 13241300x800000000000000060263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.648{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5383EF74-273B-4278-AB0C-CDAA9FD5369E}Microsoft Visio Metadata Handler 13241300x800000000000000060262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.648{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{01BE4CFB-129A-452B-A209-F9D40B3B84A5}Microsoft PowerPoint Metadata Handler 13241300x800000000000000060261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.648{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{33154C99-BF49-443D-A73C-303A23ABBE97}Microsoft Excel Metadata Handler 13241300x800000000000000060260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.648{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E3956DCF-D1C7-4375-AAAA-22FF8191C479}Microsoft Access Metadata Handler 13241300x800000000000000060259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.645{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{68CED213-317D-3F27-9036-A33240DA522E}\InprocServer32\(Default)mscoree.dll 13241300x800000000000000060258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.644{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{1227B818-7298-3D68-AC55-DDDA56EE56E1}\InprocServer32\(Default)mscoree.dll 13241300x800000000000000060257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.644{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{07B06095-5687-4D13-9E32-12B4259C9813}\InprocServer32\(Default)mscoree.dll 13241300x800000000000000060256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.642{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{CDEC13B2-0B3C-400E-B909-E27EE89C6799}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 13241300x800000000000000060255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.641{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{E18FEC31-2EA1-49A2-A7A6-902DC0D1FF05}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x800000000000000060254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.641{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9800F18F-3D86-4744-A7D0-540989C86D7B}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x800000000000000060253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.640{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3B0BD075-929C-4E52-AAD1-458C81A10B24}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 734700x800000000000000060252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.695{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x800000000000000060251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.697{43EB4363-5794-60F5-830A-00000000E501}5876C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 13241300x800000000000000060250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.639{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{9ED13477-E909-45BC-BADC-2106D04D6BD7}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 23542300x800000000000000060249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.638{43EB4363-577D-60F5-190A-00000000E501}7884NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat.bakMD5=C762993A850FE82420BDE871031D7584,SHA256=25EDC8106C77820006215452523C1BB8EE30DDBFB67913047028D61E10C68693,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000060248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.638{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{BDEADEF5-C265-11D0-BCED-00A0C90AB50F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x800000000000000060247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.637{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{BDEADE9E-C265-11D0-BCED-00A0C90AB50F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\Interceptor.dll 18141800x800000000000000060246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.636{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 13241300x800000000000000060245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.636{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3FD37ABB-F90A-4DE5-AA38-179629E64C2F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 13241300x800000000000000060244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.636{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{62B4D041-4667-40B6-BB50-4BC0A5043A73}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll 18141800x800000000000000060243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.629{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.628{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 13241300x800000000000000060241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.616{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{D0B22D03-D05D-4C6D-8AB7-9392E84A87B9}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x800000000000000060240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.616{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x800000000000000060239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.615{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{805B7F91-C9CF-4EDF-ACA6-775664FDFB3E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x800000000000000060238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.614{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{97A2762C-403C-4953-A121-7A75ABCE4373}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x800000000000000060237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.614{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 18141800x800000000000000060236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.613{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 13241300x800000000000000060235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.613{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{A1EB89D6-0A9C-4575-A0AE-654A990A454C}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x800000000000000060234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.613{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{367E582C-F71C-4BF9-AA1B-9F62B793E9C5}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x800000000000000060233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.612{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{6F3DD387-5AF2-492B-BDE2-30FF2F451241}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x800000000000000060232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.612{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{CD7791B9-43FD-42C5-AE42-8DD2811F0419}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEDAO.DLL 13241300x800000000000000060231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.611{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3BE786A2-0366-4F5C-9434-25CF162E475F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEOLEDB.DLL 13241300x800000000000000060230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.611{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3BE786A2-0366-4F5C-9434-25CF162E475E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEOLEDB.DLL 13241300x800000000000000060229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.610{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3BE786A0-0366-4F5C-9434-25CF162E475F}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEOLEDB.DLL 13241300x800000000000000060228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.610{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{3BE786A0-0366-4F5C-9434-25CF162E475E}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\ACEOLEDB.DLL 10341000x800000000000000060227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.593{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579A-60F5-890A-00000000E501}6932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.580{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579A-60F5-890A-00000000E501}6932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.579{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579A-60F5-890A-00000000E501}6932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.577{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8D26E25F48B4C861D82F7EB02BDB1B8F,SHA256=203A5E7CC6FA10C8D8918FB3A51C733E99304AF9E061C6B124E63E3879841FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.569{43EB4363-5794-60F5-850A-00000000E501}7764NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\Temp\WIN-DC-876-20210719-1044c.logMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.567{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.555{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71B44A50A3C0721003220B6622348148,SHA256=4BD3C58E0DB4204CE68CE3A7875A96A2028FC519123D1C9AEE54C3B8D167C2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.552{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB31D4DF9802EE7F7640197229F16BD,SHA256=9C20AE2713AA0853F151B6835C543E17AFF03BD340F836AD5BD120D0980142AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.536{43EB4363-5794-60F5-850A-00000000E501}7764NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\integrator.exeMD5=5F151F4A44F32D83E060B1AB7FD51820,SHA256=5C18C4CC9CDF45EE1B56D63F9D2CA160ED67F5DF644C8B6202805693C17D4B05,IMPHASH=E8BEA05A14048595A134B0431534A6DFfalsefalse - rename failed with status 0xc0000022 18141800x800000000000000060218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.505{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.473{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6DF43B8F7E9BF378815B4B481E517B58,SHA256=71A06B6742FCA829584386A8D87381CAE94BEBFC14CD9F3D86CCC9AA8B2434F8,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.468{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.461{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.452{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.451{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.446{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.446{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.446{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.446{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.446{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.432{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.407{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.384{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.369{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.368{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.353{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.307{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.245{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.215{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.200{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.185{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.184{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.184{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.184{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.184{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.184{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.174{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.153{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.128{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.112{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.112{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.092{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.048{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.983{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.952{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.936{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.921{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.921{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.921{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.921{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.921{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.921{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.921{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.890{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.874{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.861{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.859{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.838{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.795{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.719{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.688{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.673{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.658{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.658{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.657{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.657{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.657{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.657{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.657{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.625{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.615{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.607{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.591{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.584{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.539{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.460{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.429{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.414{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.405{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.402{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.399{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.399{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.399{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.393{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.384{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.383{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.368{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.352{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.352{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.337{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.321{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.285{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.197{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.160{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.147{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.147{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.130{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.130{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.129{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.129{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.114{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.114{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.106{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.088{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.083{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.075{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.053{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:41.032{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.930{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.892{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.884{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.883{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.869{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.868{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.868{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.868{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.852{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.852{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.852{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.835{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.821{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.821{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.799{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.778{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.667{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.636{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.627{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.612{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.605{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.605{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.605{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.605{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.590{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.589{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.589{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.581{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.558{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.558{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.543{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.524{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.404{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.373{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.373{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.358{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.349{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.348{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.343{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.343{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.327{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.327{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.327{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.327{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.302{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.296{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.281{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.268{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.142{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.111{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.111{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.096{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.096{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.089{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.080{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.080{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.070{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.070{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.066{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.065{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.055{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.049{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.034{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.028{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:40.003{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.886{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.848{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.848{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.837{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.836{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.836{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.836{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.835{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.833{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.832{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.832{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:39.828{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1916E8ECF8A607F614F0EE70A0FC8095,SHA256=914FE3F471E44ACB4EDE0CD82D12E808D010804F95B77B732AE64771183CB93F,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.823{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.817{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.817{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.817{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.801{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.801{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.786{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.775{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.770{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.749{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:39.661{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F4515AA9425B351D943DE3FFCDAD41,SHA256=90E312EA242714DBEE0D605F46253E3F4CB9772325DBA561E9CAF579AFDF0832,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.631{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.584{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.583{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.577{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.575{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.575{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.569{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.569{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.562{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.553{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.553{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.538{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.538{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.522{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.522{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.507{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.494{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.367{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.322{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.322{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.322{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.322{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.314{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.307{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.307{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.298{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.298{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.282{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.276{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.260{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.260{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.245{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.240{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.090{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.059{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.059{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.059{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.059{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.059{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.043{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.043{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.043{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.043{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.028{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.014{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:39.004{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.992{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.987{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.980{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.827{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.796{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.796{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.796{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.796{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.796{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.780{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.780{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.780{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.780{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.765{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.761{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.749{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.739{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.734{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.726{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 11241100x800000000000000059966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:38.671{43EB4363-5795-60F5-880A-00000000E501}7904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1ee0-0\Microsoft.Office.Tools.Word.Implementation.dll2021-07-19 10:44:38.671 18141800x800000000000000059965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.563{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.537{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.537{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.537{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.535{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.535{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.534{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.532{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.532{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.532{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.532{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.526{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.518{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.518{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.517{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.517{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.508{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.501{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.492{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.486{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.476{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.470{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.465{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.300{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.270{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.270{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.270{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.270{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.270{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.260{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.259{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.256{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.255{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.254{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.239{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.239{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.239{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.223{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.212{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.202{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.022{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.007{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.007{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.007{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.007{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.006{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:38.006{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.990{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.990{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.990{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.984{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.982{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.971{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.959{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.959{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.949{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.758{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.743{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.743{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.743{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.743{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.732{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.729{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.729{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.728{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.728{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.728{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.727{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.712{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.706{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000059895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:37.705{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5795-60F5-880A-00000000E501}7904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000059894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.702{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.696{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000059892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:37.669{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5795-60F5-880A-00000000E501}7904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:37.669{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5795-60F5-880A-00000000E501}7904C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:37.615{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5795-60F5-870A-00000000E501}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:37.603{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5795-60F5-870A-00000000E501}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:37.603{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-5795-60F5-870A-00000000E501}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000059887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.495{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.480{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.479{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.479{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.479{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.479{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.470{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.464{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.464{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.464{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.464{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.464{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.458{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.454{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.448{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.442{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.231{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.216{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.216{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.216{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.216{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.216{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.216{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.207{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.207{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.207{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.207{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.206{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.202{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.200{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.189{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:37.189{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.968{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.953{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.953{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.953{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.953{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.953{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.952{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.952{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.952{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.952{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.952{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.949{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.949{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.942{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.936{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.936{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.702{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.699{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.699{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.698{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.696{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.696{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.695{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.695{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.695{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.695{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.695{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.695{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.695{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.694{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.693{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.693{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.692{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.692{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.690{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.690{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.690{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.689{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.689{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.689{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.689{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.689{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.689{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.683{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.683{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.682{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.682{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000059808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:36.679{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000059807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.594{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.590{43EB4363-37A5-60F5-0B00-00000000E501}6241128C:\Windows\system32\lsass.exe{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.590{43EB4363-37A5-60F5-0B00-00000000E501}6241128C:\Windows\system32\lsass.exe{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.540{43EB4363-5794-60F5-860A-00000000E501}52084536C:\Windows\system32\conhost.exe{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000059803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.540{43EB4363-55C5-60F5-8808-00000000E501}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbMD5=E6B95CBAB67EFE05387E9E2D6B991371,SHA256=07E302A513FFEBE43895FFDA9F529990554A68C6E68DD4A4199736C7BD3DA51A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.532{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5794-60F5-860A-00000000E501}5208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.527{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.527{43EB4363-564B-60F5-C908-00000000E501}65764944C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+108f89|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+73a3e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+738ca|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44efe6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+44d8cd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000059799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:44:36.451{43EB4363-5794-60F5-840A-00000000E501}4904\ShellEx_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe 17141700x800000000000000059798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:44:36.451{43EB4363-5794-60F5-830A-00000000E501}5876\ShellEx_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe 17141700x800000000000000059797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:44:36.451{43EB4363-5794-60F5-840A-00000000E501}4904\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe 17141700x800000000000000059796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:44:36.451{43EB4363-5794-60F5-830A-00000000E501}5876\FTA_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe 10341000x800000000000000059795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.450{43EB4363-37A5-60F5-0B00-00000000E501}6241128C:\Windows\system32\lsass.exe{43EB4363-5794-60F5-830A-00000000E501}5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.450{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5794-60F5-840A-00000000E501}4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.450{43EB4363-37A5-60F5-0B00-00000000E501}6241128C:\Windows\system32\lsass.exe{43EB4363-5794-60F5-830A-00000000E501}5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.450{43EB4363-37A5-60F5-0B00-00000000E501}624844C:\Windows\system32\lsass.exe{43EB4363-5794-60F5-840A-00000000E501}4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x800000000000000059791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:44:36.449{43EB4363-5794-60F5-830A-00000000E501}5876\ShortcutNotifier_5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe 17141700x800000000000000059790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:44:36.448{43EB4363-5794-60F5-840A-00000000E501}4904\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe 10341000x800000000000000059789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.432{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-5794-60F5-840A-00000000E501}4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.430{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5794-60F5-840A-00000000E501}4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.429{43EB4363-564B-60F5-C908-00000000E501}65764612C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5794-60F5-840A-00000000E501}4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+3c7e3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+3cc57|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+3bbb2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+3d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+437b5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+42a24|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+40c9c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+b6b3f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+e660|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+66405|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+67f11|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+67df9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+66c69|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000059786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.427{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5794-60F5-830A-00000000E501}5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000059785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:36.426{43EB4363-564B-60F5-C908-00000000E501}65764612C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5794-60F5-830A-00000000E501}5876C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+3c7e3|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+3cc57|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+3bbb2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+3d10b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+437b5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+42a24|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+40c9c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+b6b3f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+e660|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+66405|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+67f11|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+67df9|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll+66c69|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000059784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:36.378{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Clients\Mail\Microsoft Outlook\protocols\mailto\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -c IPM.Note /mailto "%%1" 13241300x800000000000000059783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:36.375{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeHKLM\SOFTWARE\Clients\Mail\Microsoft Outlook\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /recycle 23542300x800000000000000028778Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:42.995{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D55BE8966EB74EA013D2888BF88DD6,SHA256=EC39B3A0C4CEDBA5E1D8ECBA83A3AA0F5C23A58125D8B4CE8B89A8AAB95B772B,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.984{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.968{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-A10A-00000000E501}1156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.968{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.953{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-A10A-00000000E501}1156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.953{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579B-60F5-A10A-00000000E501}1156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.947{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.931{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.915{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-A00A-00000000E501}104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.915{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.915{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.900{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-A00A-00000000E501}104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.900{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579B-60F5-A00A-00000000E501}104C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.900{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.869{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.853{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-9F0A-00000000E501}7780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.831{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-9F0A-00000000E501}7780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.831{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579B-60F5-9F0A-00000000E501}7780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.800{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.784{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.769{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.769{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.749{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 354300x800000000000000060501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.104{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 18141800x800000000000000060500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.734{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.734{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.734{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.727{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.720{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-9E0A-00000000E501}7736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.708{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-9E0A-00000000E501}7736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.708{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579B-60F5-9E0A-00000000E501}7736C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.708{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 13241300x800000000000000060492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.700{43EB4363-579B-60F5-9C0A-00000000E501}2112C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\TypeDWORD (0x00000002) 13241300x800000000000000060491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.700{43EB4363-579B-60F5-9C0A-00000000E501}2112C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\IsolationDWORD (0x00000000) 13241300x800000000000000060490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.700{43EB4363-579B-60F5-9C0A-00000000E501}2112C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\AirSpaceChannel\OwningPublisher{f562bb8e-422d-4b5c-b20e-90d710f7d11c} 18141800x800000000000000060489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.682{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.662{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.661{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.651{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.635{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.629{43EB4363-579B-60F5-9D0A-00000000E501}69327880C:\Windows\system32\conhost.exe{43EB4363-579B-60F5-9C0A-00000000E501}2112C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.621{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-9D0A-00000000E501}6932C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.617{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.617{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.617{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.617{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.617{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-9C0A-00000000E501}2112C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.616{43EB4363-5794-60F5-850A-00000000E501}77647660C:\Program Files\Microsoft Office\root\integration\integrator.exe{43EB4363-579B-60F5-9C0A-00000000E501}2112C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a3c1|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a570|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2fa538|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2f0115|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.616{43EB4363-579B-60F5-9C0A-00000000E501}2112C:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.man" /rf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll" /mf:"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\mso.dll"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi /StreamFull MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 23542300x800000000000000060475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.615{43EB4363-5794-60F5-850A-00000000E501}7764NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\AirSpace.Etw.manMD5=696F2B52D9A66D646A0D741419E96250,SHA256=06CD20E1AD0F7B3681BF98673C38254DF610B46E21556A76250A434637D29BEF,IMPHASH=00000000000000000000000000000000falsefalse - rename failed with status 0xc0000022 18141800x800000000000000060474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.599{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 13241300x800000000000000060473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.588{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeDebugChannel\TypeDWORD (0x00000003) 13241300x800000000000000060472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.588{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeDebugChannel\IsolationDWORD (0x00000000) 13241300x800000000000000060471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.588{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeDebugChannel\OwningPublisher{8736922d-e8b2-47eb-8564-23e77e728cf3} 13241300x800000000000000060470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.588{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeChannel\TypeDWORD (0x00000002) 13241300x800000000000000060469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.588{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeChannel\IsolationDWORD (0x00000000) 13241300x800000000000000060468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.588{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\OfficeChannel\OwningPublisher{8736922d-e8b2-47eb-8564-23e77e728cf3} 10341000x800000000000000060467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.560{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-9B0A-00000000E501}7628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.548{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-9B0A-00000000E501}7628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.548{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579B-60F5-9B0A-00000000E501}7628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.541{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.517{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.501{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.501{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 13241300x800000000000000060460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.498{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\General Logging\TypeDWORD (0x00000002) 13241300x800000000000000060459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.498{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\General Logging\IsolationDWORD (0x00000000) 13241300x800000000000000060458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:43.498{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\General Logging\OwningPublisher{f50d9315-e17e-43c1-8370-3edf6cc057be} 10341000x800000000000000060457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.487{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-9A0A-00000000E501}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.486{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.476{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.476{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.476{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-9A0A-00000000E501}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 18141800x800000000000000060452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.476{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.476{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579B-60F5-9A0A-00000000E501}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.474{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.470{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.455{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.429{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.414{43EB4363-579B-60F5-990A-00000000E501}44607712C:\Windows\system32\conhost.exe{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.410{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-980A-00000000E501}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.408{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.408{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.404{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-990A-00000000E501}4460C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.401{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.401{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.401{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.401{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.399{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.399{43EB4363-5794-60F5-850A-00000000E501}77647660C:\Program Files\Microsoft Office\root\integration\integrator.exe{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a3c1|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a570|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2fa538|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2f0115|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.397{43EB4363-579B-60F5-970A-00000000E501}7696C:\Windows\System32\wevtutil.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Eventing Command Line UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtutil.exewevtutil.exe im "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.man" /rf:"C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll" /mf:"C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91803E340A7E7AFDF95A8031F6EF3F3E,SHA256=DCFD99FE08A5D46C52E810FE2F9CC15AC82008975C0A731A11773B11ADE0F3CC,IMPHASH=51FFA3B7FBD1EF82ECE0730B54406E64{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi /StreamFull MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 10341000x800000000000000060434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.398{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-980A-00000000E501}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.398{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579B-60F5-980A-00000000E501}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.397{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.396{43EB4363-5794-60F5-850A-00000000E501}7764NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\msoutilstat.etw.manMD5=C1E8B625377C75454266F9D172D2F77D,SHA256=7847E5BA06CA0A834454A3C62EC343DCAA4339E6EF2ED5BD42E460ADE5331628,IMPHASH=00000000000000000000000000000000falsefalse - rename failed with status 0xc0000022 18141800x800000000000000060430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.382{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.346{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.346{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-960A-00000000E501}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.334{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-960A-00000000E501}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.334{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579B-60F5-960A-00000000E501}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000060425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10532021-07-19 10:44:43.323{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office Feature Updates Logon2021-07-19 10:41:14.323 10341000x800000000000000060424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.321{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-579B-60F5-940A-00000000E501}1384C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.321{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-579B-60F5-940A-00000000E501}1384C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.318{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-940A-00000000E501}1384C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.305{43EB4363-579B-60F5-950A-00000000E501}45766212C:\Windows\system32\conhost.exe{43EB4363-579B-60F5-940A-00000000E501}1384C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.297{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-950A-00000000E501}4576C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.293{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.293{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.292{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.292{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.291{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-940A-00000000E501}1384C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.291{43EB4363-5794-60F5-850A-00000000E501}77647964C:\Program Files\Microsoft Office\root\integration\integrator.exe{43EB4363-579B-60F5-940A-00000000E501}1384C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a3c1|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a570|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9add6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2e75e8|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2e5ca6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+1483b|C:\Program Files\Microsoft Office\root\integration\integrator.exe+13fad|C:\Program Files\Microsoft Office\root\integration\integrator.exe+28c25|C:\Program Files\Microsoft Office\root\integration\integrator.exe+340c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.291{43EB4363-579B-60F5-940A-00000000E501}1384C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates Logon" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates Logon.xml"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi /StreamFull MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 18141800x800000000000000060412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.288{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.283{43EB4363-37A7-60F5-1600-00000000E501}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office Feature Updates LogonMD5=AD6DC17A43C5A6AEAEFC6CA714B15B82,SHA256=92C50917601489F24BF8183726DCC073048E779053389EB5AF555D72F95DAB37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.270{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.270{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.270{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.270{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.263{43EB4363-37A5-60F5-0B00-00000000E501}6245536C:\Windows\system32\lsass.exe{43EB4363-579B-60F5-920A-00000000E501}7556C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.263{43EB4363-37A5-60F5-0B00-00000000E501}6245536C:\Windows\system32\lsass.exe{43EB4363-579B-60F5-920A-00000000E501}7556C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.259{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-920A-00000000E501}7556C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.253{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.250{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.250{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.249{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.249{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.244{43EB4363-579B-60F5-930A-00000000E501}3606908C:\Windows\system32\conhost.exe{43EB4363-579B-60F5-920A-00000000E501}7556C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.238{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.238{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.236{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-930A-00000000E501}360C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000060394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.233{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A96818DAB96C18112C022F297BA1E7FF,SHA256=6F675D55D8F488B32541C80A2283DCE86A55EE7D09EC589EF83BFD37B76F381D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.233{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F0BF95A9260E07A21B47B27C332D9CC,SHA256=B86927283012DEA8C6550224477CB6E522F4153DFB6CC314D8DE3E5BA46B04A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.231{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-920A-00000000E501}7556C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.230{43EB4363-5794-60F5-850A-00000000E501}77647964C:\Program Files\Microsoft Office\root\integration\integrator.exe{43EB4363-579B-60F5-920A-00000000E501}7556C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a3c1|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a570|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9af91|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2e6f18|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2e5ca6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+1483b|C:\Program Files\Microsoft Office\root\integration\integrator.exe+13fad|C:\Program Files\Microsoft Office\root\integration\integrator.exe+28c25|C:\Program Files\Microsoft Office\root\integration\integrator.exe+340c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.230{43EB4363-579B-60F5-920A-00000000E501}7556C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates Logon"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi /StreamFull MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 18141800x800000000000000060389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.222{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.222{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.222{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 11241100x800000000000000060386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10532021-07-19 10:44:43.221{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office Feature Updates2021-07-19 10:41:14.234 18141800x800000000000000060385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.221{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.217{43EB4363-37A5-60F5-0B00-00000000E501}6247612C:\Windows\system32\lsass.exe{43EB4363-579B-60F5-900A-00000000E501}6712C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.217{43EB4363-37A5-60F5-0B00-00000000E501}6247612C:\Windows\system32\lsass.exe{43EB4363-579B-60F5-900A-00000000E501}6712C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.214{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-900A-00000000E501}6712C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.214{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.197{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.196{43EB4363-579B-60F5-910A-00000000E501}81123800C:\Windows\system32\conhost.exe{43EB4363-579B-60F5-900A-00000000E501}6712C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.176{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.175{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-910A-00000000E501}8112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.171{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-900A-00000000E501}6712C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.171{43EB4363-5794-60F5-850A-00000000E501}77647964C:\Program Files\Microsoft Office\root\integration\integrator.exe{43EB4363-579B-60F5-900A-00000000E501}6712C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a3c1|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a570|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9add6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2e75e8|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2e5ca6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+1483b|C:\Program Files\Microsoft Office\root\integration\integrator.exe+13fad|C:\Program Files\Microsoft Office\root\integration\integrator.exe+28c25|C:\Program Files\Microsoft Office\root\integration\integrator.exe+340c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.171{43EB4363-579B-60F5-900A-00000000E501}6712C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Create /tn "Microsoft\Office\Office Feature Updates" /XML "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\Microsoft_Office_Office Feature Updates.xml"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi /StreamFull MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 23542300x800000000000000060373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.163{43EB4363-37A7-60F5-1600-00000000E501}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\Microsoft\Office\Office Feature UpdatesMD5=6711BDD62C8C6CA1B147758423907878,SHA256=31F95CFD210A85FBA7CBDD0FF227830B2106E7F1CF919658F4998099803A8561,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.149{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-8F0A-00000000E501}2436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.145{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.145{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.144{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.138{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-8F0A-00000000E501}2436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.137{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579B-60F5-8F0A-00000000E501}2436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.132{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.132{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.132{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.132{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.129{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.086{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:43.035{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.013{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579B-60F5-8E0A-00000000E501}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.000{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579B-60F5-8E0A-00000000E501}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:43.000{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.985{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.983{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.968{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.968{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.960{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.960{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.960{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.960{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.944{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.943{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579A-60F5-8D0A-00000000E501}7744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.930{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579A-60F5-8D0A-00000000E501}7744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.930{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579A-60F5-8D0A-00000000E501}7744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.922{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.891{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.891{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.883{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.867{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.842{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579A-60F5-8C0A-00000000E501}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.829{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.829{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579A-60F5-8C0A-00000000E501}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.828{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579A-60F5-8C0A-00000000E501}6536C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.767{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.748{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-579A-60F5-8A0A-00000000E501}4848C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.748{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-579A-60F5-8A0A-00000000E501}4848C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.722{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.721{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.720{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579A-60F5-8A0A-00000000E501}4848C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.706{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.706{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.706{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.706{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.704{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.702{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.700{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.699{43EB4363-579A-60F5-8B0A-00000000E501}79561156C:\Windows\system32\conhost.exe{43EB4363-579A-60F5-8A0A-00000000E501}4848C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:42.690{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.689{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579A-60F5-8B0A-00000000E501}7956C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.683{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579A-60F5-8A0A-00000000E501}4848C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.683{43EB4363-5794-60F5-850A-00000000E501}77647964C:\Program Files\Microsoft Office\root\integration\integrator.exe{43EB4363-579A-60F5-8A0A-00000000E501}4848C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a3c1|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9a570|C:\Program Files\Microsoft Office\root\integration\integrator.exe+9af91|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2e6f18|C:\Program Files\Microsoft Office\root\integration\integrator.exe+2e5ca6|C:\Program Files\Microsoft Office\root\integration\integrator.exe+1483b|C:\Program Files\Microsoft Office\root\integration\integrator.exe+13fad|C:\Program Files\Microsoft Office\root\integration\integrator.exe+28c25|C:\Program Files\Microsoft Office\root\integration\integrator.exe+340c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:42.681{43EB4363-579A-60F5-8A0A-00000000E501}4848C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks.exe /Delete /F /tn "Microsoft\Office\Office Feature Updates"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\Integration\Integrator.exeintegrator.exe /I /Extension /Msi /StreamFull MsiName=C2RInt.16.msi,C2RIntLoc.en-us.16.msi,* PackageGUID="9AC08E99-230B-47e8-9721-4577B7F124EA" PackageRoot="C:\Program Files\Microsoft Office\root" 13241300x800000000000000060316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1183,IFEOSetValue2021-07-19 10:44:42.680{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe\MitigationOptionsQWORD (0x00000000-0x00000100) 13241300x800000000000000060315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.678{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{02BCC737-B171-4746-94C9-0D8A0B2C0089}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL 13241300x800000000000000060314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.678{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\MSSOAP\CategoryMessageFileC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSSOAP30.DLL 13241300x800000000000000060313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.678{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\MSSOAP\EventMessageFileC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSSOAP30.DLL 13241300x800000000000000060312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.678{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\MSSOAP\CategoryCountDWORD (0x00000004) 13241300x800000000000000060311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.678{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\MSSOAP\TypesSupportedDWORD (0x00000001) 13241300x800000000000000060310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.678{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Microsoft Office 16\TypesSupportedDWORD (0x00000007) 13241300x800000000000000060309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.677{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\Microsoft Office 16\EventMessageFileC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSORES.DLL;C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE 13241300x800000000000000060308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.677{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\Microsoft Office 16 Alerts\TypesSupportedDWORD (0x00000007) 13241300x800000000000000060307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.677{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\Microsoft Office 16 Alerts\EventMessageFileC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\OFFREL.DLL 13241300x800000000000000060306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.677{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\RetentionDWORD (0x00000000) 13241300x800000000000000060305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.677{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\PrimaryModuleOAlerts 13241300x800000000000000060304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.677{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\MaxSizeDWORD (0x00020000) 13241300x800000000000000060303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.677{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\DisplayNameIDDWORD (0x00000066) 13241300x800000000000000060302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.677{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\System\CurrentControlSet\Services\EventLog\OAlerts\DisplayNameFileC:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\OFFREL.DLL 13241300x800000000000000060301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.672{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D66DC78C-4F61-447F-942B-3FB6980118CF}{D66DC78C-4F61-447F-942B-3FB6980118CF} 13241300x800000000000000060300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:42.672{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}{506F4668-F13E-4AA1-BB04-B43203AB3CC0} 13241300x800000000000000060299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.671{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{D66DC78C-4F61-447F-942B-3FB6980118CF}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL 13241300x800000000000000060298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.671{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{A394DCA9-3727-11D4-BD85-00C04F6B93A4}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL 13241300x800000000000000060297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.670{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{506F4668-F13E-4AA1-BB04-B43203AB3CC0}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VISSHE.DLL 13241300x800000000000000060296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.669{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL 13241300x800000000000000060295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.668{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{550D0110-8DCD-11D1-8524-00A02495E426}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL 13241300x800000000000000060294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.668{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\CLSID\{000D0E00-0000-0000-C000-000000001157}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\Office16\VVIEWDWG.DLL 13241300x800000000000000060293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.667{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{6939BF8D-FF94-492C-9E4E-BD6439D8F867}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL 13241300x800000000000000060292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.666{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{550D0110-8DCD-11D1-8524-00A02495E426}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL 13241300x800000000000000060291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.666{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\WOW6432Node\CLSID\{000D0E00-0000-0000-C000-000000001157}\InprocServer32\(Default)C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWDWG.DLL 13241300x800000000000000060290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.665{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\Application\(Default)IExplore 13241300x800000000000000060289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.665{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\(Default)"file:%%1",,-1,,,,, 13241300x800000000000000060288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:44:42.665{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\ddeexec\Topic\(Default)WWW_OpenURL 13241300x800000000000000060287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:44:42.665{43EB4363-5794-60F5-850A-00000000E501}7764C:\Program Files\Microsoft Office\root\integration\integrator.exeHKCR\VisioViewer.Viewer\shell\open\command\(Default)"%%ProgramFiles%%\Internet Explorer\iexplore.exe" -nohome 18141800x800000000000000060629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.998{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.998{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.983{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.967{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.951{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.914{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-AE0A-00000000E501}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.914{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-AE0A-00000000E501}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.914{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-AE0A-00000000E501}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.914{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.867{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-AD0A-00000000E501}7676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.867{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-AD0A-00000000E501}7676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.867{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-AD0A-00000000E501}7676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.846{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.846{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.830{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-AB0A-00000000E501}7768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.830{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.814{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.814{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.814{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.814{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.814{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-AC0A-00000000E501}6932C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.814{43EB4363-56CD-60F5-F608-00000000E501}75487880C:\Windows\system32\msiexec.exe{43EB4363-579C-60F5-AC0A-00000000E501}6932C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba6f5|C:\Windows\system32\Msi.dll+16c8f4|C:\Windows\system32\Msi.dll+16cf6c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.827{43EB4363-579C-60F5-AC0A-00000000E501}6932C:\Windows\SysWOW64\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8276AF004976A67E318207BDEBD534EF E Global\MSI0000C:\Windows\SysWOW64\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=0BDEAEA7BB4AE7822416CD37EA8EE00D,SHA256=5C188CE4E21FAB002B4D669F91FA19341AB4260F83D798FDAC53229D675DB6BA,IMPHASH=B4730776DFCE61DBCD10D002E3D530E1{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 10341000x800000000000000060606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.814{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-AB0A-00000000E501}7768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.814{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-AB0A-00000000E501}7768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.814{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.799{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.799{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.799{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.799{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.783{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-AA0A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.783{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-AA0A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.783{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-AA0A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.767{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.767{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.730{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.730{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.714{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-A90A-00000000E501}8088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.714{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.714{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.699{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-A90A-00000000E501}8088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.699{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-A90A-00000000E501}8088C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.699{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.652{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-A80A-00000000E501}7060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.650{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-A80A-00000000E501}7060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.650{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-A80A-00000000E501}7060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.646{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.583{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.583{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.568{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-A70A-00000000E501}7932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.568{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.552{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-A70A-00000000E501}7932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.552{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-A70A-00000000E501}7932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.552{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.530{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.530{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.530{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.530{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.515{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.499{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.468{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.468{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.446{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.446{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.430{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.384{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.331{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.315{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.299{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.299{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.284{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-A60A-00000000E501}8008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.268{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-A60A-00000000E501}8008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.268{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-A60A-00000000E501}8008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.268{43EB4363-577D-60F5-190A-00000000E501}7884NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=85B865998E8FEE61EBCA2FA53C6980C6,SHA256=A3301A63D521CDB9DC52B3F52AC4A56A1B023AFFA4B4C01C84580A0D362475E9,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.268{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.268{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.268{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.268{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.246{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.231{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.215{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-A50A-00000000E501}7248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.215{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-A50A-00000000E501}7248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.215{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-A50A-00000000E501}7248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.215{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.199{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.184{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.184{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.168{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-A40A-00000000E501}7200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.168{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.152{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-A40A-00000000E501}7200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.152{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-A40A-00000000E501}7200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.131{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.115{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-A30A-00000000E501}6200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.100{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-A30A-00000000E501}6200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.100{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-A30A-00000000E501}6200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.068{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.053{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-A20A-00000000E501}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.047{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.031{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579C-60F5-A20A-00000000E501}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:44.031{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579C-60F5-A20A-00000000E501}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.031{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.031{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.015{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.000{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.000{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:44.000{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000028779Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:44.026{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F2014925BFDBE27EA1894FF6C09C31,SHA256=3E81753762E42487996E9963A20CB3F8F540E9E0B22A14974D5C2F89D408B345,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.985{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.971{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579D-60F5-B50A-00000000E501}7288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.955{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.900{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579D-60F5-B50A-00000000E501}7288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.900{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579D-60F5-B50A-00000000E501}7288C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.900{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.870{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIF270.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.870{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.870{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.870{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.870{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.853{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.837{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579D-60F5-B40A-00000000E501}7872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.837{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.832{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.816{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579D-60F5-B40A-00000000E501}7872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.816{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579D-60F5-B40A-00000000E501}7872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.816{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.816{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.785{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.769{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.769{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.735{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.731{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.731{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.716{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579D-60F5-B30A-00000000E501}2384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.716{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIF146.tmpMD5=FCCDC45CA17E5180B40EFC28052BAC39,SHA256=4AB37B0F9C5FE3505E1ECFE0764AAA04838CF81F9E0A402425E057F7A251E621,IMPHASH=620AD7AB8901854C91622E052544AEE7truetrue 10341000x800000000000000060693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.700{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579D-60F5-B30A-00000000E501}2384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.700{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579D-60F5-B30A-00000000E501}2384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.684{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.653{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579D-60F5-B20A-00000000E501}7940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.638{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579D-60F5-B20A-00000000E501}7940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.638{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579D-60F5-B20A-00000000E501}7940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.632{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.615{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.615{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.600{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579D-60F5-B10A-00000000E501}4576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.600{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.600{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.600{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.584{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579D-60F5-B10A-00000000E501}4576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.584{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579D-60F5-B10A-00000000E501}4576C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.584{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.569{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.553{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.553{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.537{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579D-60F5-B00A-00000000E501}7828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.530{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579D-60F5-B00A-00000000E501}7828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.529{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579D-60F5-B00A-00000000E501}7828C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.529{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.514{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.506{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.473{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.467{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.423{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.397{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIEE57.tmpMD5=9CADBFA797783FF9E7FC60301DE9E1FF,SHA256=C1EDA5C42BE64CFC08408A276340C9082F424EC1A4E96E78F85E9F80D0634141,IMPHASH=652859BF844DA7396CCD2DCBC07B8FD2truetrue 10341000x800000000000000060664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.393{43EB4363-579C-60F5-AC0A-00000000E501}69328104C:\Windows\syswow64\MsiExec.exe{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\syswow64\MsiExec.exe+7291|C:\Windows\syswow64\MsiExec.exe+7873|C:\Windows\syswow64\MsiExec.exe+9201|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 18141800x800000000000000060663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.374{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.358{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.358{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.346{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16FD0C42672892D60536B24F13A7D11D,SHA256=C447446555C4E5BC7F0AD912EB1E79DD312799E6050220DA1A458A7C2B317031,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.344{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579D-60F5-AF0A-00000000E501}7276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.343{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.337{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579C-60F5-AC0A-00000000E501}6932C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.333{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CF8609526810F94B34D48BF13194B5B,SHA256=65AF8C62C35A3DE44008646E84C116C6FA35F0BEFB11BB0B08D5B3A02CA30AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.332{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2C36C532B689F30535B010D072487BCA,SHA256=C6BBBD429DD5074DC1AF2FFEDCDC90BBCBE1E55EE6C87A688CD3A98B196C4049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.329{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B57EE6A53DDF010DEE05DD40586FEF4D,SHA256=0899C77267312B640157E31530EDEF8A62488A1D393C829A13C78370322F1CF6,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.329{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.328{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.327{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.312{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.294{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.282{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.273{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579D-60F5-AF0A-00000000E501}7276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:45.273{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579D-60F5-AF0A-00000000E501}7276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.263{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.253{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.248{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.220{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.204{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.170{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.107{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.098{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.092{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.076{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.061{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.061{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.061{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.052{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.030{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:45.030{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000028780Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:45.136{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632C72C181B2D871D0E49A26FEE8EFEC,SHA256=15F9EA593B2B398E675413103B008BAE7958658EB8D27F8A2846A6C6767F0DAF,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.953{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.953{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.916{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.900{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.900{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.884{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.884{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.884{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.884{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.853{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.853{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.816{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.816{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.816{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.816{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.784{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.784{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.784{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.784{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.784{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.784{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.753{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIF5AF.tmpMD5=9CADBFA797783FF9E7FC60301DE9E1FF,SHA256=C1EDA5C42BE64CFC08408A276340C9082F424EC1A4E96E78F85E9F80D0634141,IMPHASH=652859BF844DA7396CCD2DCBC07B8FD2truetrue 10341000x800000000000000060807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.753{43EB4363-579E-60F5-BA0A-00000000E501}76767532c:\Windows\syswow64\MsiExec.exe{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|c:\Windows\syswow64\MsiExec.exe+7291|c:\Windows\syswow64\MsiExec.exe+7873|c:\Windows\syswow64\MsiExec.exe+9201|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.738{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579E-60F5-BA0A-00000000E501}7676c:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.735{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.732{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.716{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.716{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.716{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.716{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.716{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579E-60F5-BA0A-00000000E501}7676c:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.716{43EB4363-56CD-60F5-F608-00000000E501}75487000C:\Windows\system32\msiexec.exe{43EB4363-579E-60F5-BA0A-00000000E501}7676c:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba6f5|C:\Windows\system32\Msi.dll+16c8f4|C:\Windows\system32\Msi.dll+16cf6c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000060797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.717{43EB4363-579E-60F5-BA0A-00000000E501}7676C:\Windows\SysWOW64\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exec:\Windows\syswow64\MsiExec.exe -Embedding E3B4072282BF4F3430114226C5B841D2 E Global\MSI0000C:\Windows\SysWOW64\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=0BDEAEA7BB4AE7822416CD37EA8EE00D,SHA256=5C188CE4E21FAB002B4D669F91FA19341AB4260F83D798FDAC53229D675DB6BA,IMPHASH=B4730776DFCE61DBCD10D002E3D530E1{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 18141800x800000000000000060796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.685{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.653{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.653{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.653{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.653{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.653{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.653{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.632{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.616{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.616{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.585{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.553{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=970278B155B424F412B0968851DB07D0,SHA256=BA8639C2D1B43B95CE60F3A916868F7C3BD9FE3D505C85A13E7BAA0E4F5B834D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.553{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF048D280C19F835EA.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000060783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.553{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF0B6C4836A8E1EBBA.TMPMD5=970278B155B424F412B0968851DB07D0,SHA256=BA8639C2D1B43B95CE60F3A916868F7C3BD9FE3D505C85A13E7BAA0E4F5B834D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.553{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFF0921DCC77E3E882.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000060781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.553{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFC81CF7F3C753BE6A.TMPMD5=970278B155B424F412B0968851DB07D0,SHA256=BA8639C2D1B43B95CE60F3A916868F7C3BD9FE3D505C85A13E7BAA0E4F5B834D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.553{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFE3B55FCD19E4E671.TMPMD5=8E318F0ACAA1524E71BC6BFB74193AC8,SHA256=BEFEBBA17E8C6E0BFC17A89AC48A937B0AF09AD300C361D5D8E1D8973AE82F97,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.553{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.553{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.538{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c62f.rbsMD5=F0547C7988018B6D1D14A76CB90C7861,SHA256=E7BECAC8260C3D82571F56684525EFCE975635D88A3C3009CC68C9B2E968304A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.538{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIF502.tmpMD5=FCCDC45CA17E5180B40EFC28052BAC39,SHA256=4AB37B0F9C5FE3505E1ECFE0764AAA04838CF81F9E0A402425E057F7A251E621,IMPHASH=620AD7AB8901854C91622E052544AEE7truetrue 18141800x800000000000000060775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.532{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.516{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIF501.tmpMD5=FCCDC45CA17E5180B40EFC28052BAC39,SHA256=4AB37B0F9C5FE3505E1ECFE0764AAA04838CF81F9E0A402425E057F7A251E621,IMPHASH=620AD7AB8901854C91622E052544AEE7truetrue 23542300x800000000000000060773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.516{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFAC894892FAF35AF3.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000060772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.516{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFAFCD8380D8B5178D.TMPMD5=65B1D1FDBF10C79BEEB8527FAD6BEEA9,SHA256=748F5C1903F221A47AC9475EF6B4AD0F326305DCA740800274D8A0BD6A4FBA7C,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.516{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.501{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF4E41C64319D32CB1.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000060769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.501{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF122B618F7D416DE1.TMPMD5=65B1D1FDBF10C79BEEB8527FAD6BEEA9,SHA256=748F5C1903F221A47AC9475EF6B4AD0F326305DCA740800274D8A0BD6A4FBA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.501{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIF270.tmpMD5=BC9B3749B55AB452A596831D1DAF2AB1,SHA256=7DB26D8E7A71C579C262B3F30AAF7257A487E97607C7531615F8576C5BBC0E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.469{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3BD8507FADE91C6EF2ED99B141CB717,SHA256=2904F256A6950FB56E9D3515A7BB0FF864CA01577B4CC8C1C0256B5A48C9B19B,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.469{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.454{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579E-60F5-B90A-00000000E501}5224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.438{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579E-60F5-B90A-00000000E501}5224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.438{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579E-60F5-B90A-00000000E501}5224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.416{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.401{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.385{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.385{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.385{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.385{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.385{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000060755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.369{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c62f.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.369{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFAF8566783207EF31.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000060753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.369{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF3274C2A2668EF200.TMPMD5=65B1D1FDBF10C79BEEB8527FAD6BEEA9,SHA256=748F5C1903F221A47AC9475EF6B4AD0F326305DCA740800274D8A0BD6A4FBA7C,IMPHASH=00000000000000000000000000000000falsetrue 18141800x800000000000000060752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.369{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.354{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.354{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.316{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.285{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.285{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.269{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579E-60F5-B80A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.269{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.254{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579E-60F5-B80A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.254{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579E-60F5-B80A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.254{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.217{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.170{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579E-60F5-B70A-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.170{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579E-60F5-B70A-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.170{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579E-60F5-B70A-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.154{43EB4363-564B-60F5-C908-00000000E501}6576\FTA_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.132{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.132{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.132{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.132{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.116{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.116{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.116{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.086{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.086{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 10341000x800000000000000060727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.069{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579E-60F5-B60A-00000000E501}8152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.054{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579E-60F5-B60A-00000000E501}8152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:46.054{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579E-60F5-B60A-00000000E501}8152C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000060724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.054{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.031{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.031{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 18141800x800000000000000060721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:44:46.008{43EB4363-564B-60F5-C908-00000000E501}6576\ShortcutNotifier_4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe 23542300x800000000000000028781Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:46.370{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B0D9219CF0E6EAF83F5A00CE86E0C2,SHA256=F35C716974A72D44D1D16BE97AD4B60C9ECCEDCFDFDA74DC81FE54D8CFE008CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.997{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFEBAF93D9642E1B27.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000060897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.996{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFCF5FEB71B72E66A1.TMPMD5=6E8212EA1365BFF4B85A3CAEE2B861A8,SHA256=DE263C05E76AE05DA5C222E28F3098427531D97FFD279E83D93C58700C44F485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.988{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFDCE0B03CEDEC64E9.TMPMD5=5637A33CDA5E9818F1F5AEE7A7EDCE52,SHA256=88F61B44EAEACE288F7410B984F8E566E582363C12E3CBB51B6709B3FA558196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.979{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c631.rbsMD5=C076C44BE09A97917D4D0A3E13975EA0,SHA256=199FAE99C12FDDEF4E0CE791048E4D4B7445B1CDE3F8248FBD686608ED26A0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.965{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIFA95.tmpMD5=FCCDC45CA17E5180B40EFC28052BAC39,SHA256=4AB37B0F9C5FE3505E1ECFE0764AAA04838CF81F9E0A402425E057F7A251E621,IMPHASH=620AD7AB8901854C91622E052544AEE7truetrue 23542300x800000000000000060893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.942{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIFA75.tmpMD5=FCCDC45CA17E5180B40EFC28052BAC39,SHA256=4AB37B0F9C5FE3505E1ECFE0764AAA04838CF81F9E0A402425E057F7A251E621,IMPHASH=620AD7AB8901854C91622E052544AEE7truetrue 23542300x800000000000000060892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.917{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF59D5F4F291443164.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000060891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.916{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF86334B11DC3BBF0E.TMPMD5=FC6326D934FAA0F486996AFB1BC543A2,SHA256=2E72545537821BAC931B74CE0EA5B076CE2FFAC379F8FDFA70B941FEB306B361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.914{43EB4363-579E-60F5-B90A-00000000E501}5224NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\WVWG8L9D05\Microsoft.VisualBasic.Compatibility.ni.dll.auxMD5=35237910EB6DC973D73406C59D64C2BE,SHA256=1B97B8FC8608529B9D7EBCF2342E7C3973CC29DBBD9C3DC82FA85CD3ECA99613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.911{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF4B46F5F6F49BBA31.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000060888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.911{43EB4363-579E-60F5-B90A-00000000E501}5224NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\WVWG8L9D05\Microsoft.VisualBasic.Compatibility.ni.dllMD5=71AAF81F02AE1ABADB05D3F920DFA103,SHA256=172782392CA26CDF9AEDA0ADB7B7477D4E052CDB71E06E2F8D92FF4FDB1D2817,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.902{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF31C837F94513F5E3.TMPMD5=FC6326D934FAA0F486996AFB1BC543A2,SHA256=2E72545537821BAC931B74CE0EA5B076CE2FFAC379F8FDFA70B941FEB306B361,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.878{43EB4363-579F-60F5-BC0A-00000000E501}76607500C:\Windows\system32\conhost.exe{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.874{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIF748.tmpMD5=5CAF347210BB29313ABC829696EB508B,SHA256=E62A6F67653886247BA5CA1A93C6CD9084C44F322686B4FC02E7202E4B3D4737,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.857{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-579F-60F5-BC0A-00000000E501}7660C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.851{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.851{43EB4363-37A7-60F5-1000-00000000E501}368364C:\Windows\System32\svchost.exe{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\pcasvc.dll+43591|c:\windows\system32\pcasvc.dll+22bed|C:\Windows\SYSTEM32\ntdll.dll+7de1d|C:\Windows\SYSTEM32\ntdll.dll+3a969|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000060881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:47.843{43EB4363-579E-60F5-B90A-00000000E501}5224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1468-0\Microsoft.VisualBasic.Compatibility.dll2021-07-19 10:44:47.843 23542300x800000000000000060880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.676{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c631.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.673{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF2F386BE42A606BBD.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000060878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.673{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF3E8E6F108EB8E15A.TMPMD5=FC6326D934FAA0F486996AFB1BC543A2,SHA256=2E72545537821BAC931B74CE0EA5B076CE2FFAC379F8FDFA70B941FEB306B361,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.515{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.253{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=639C154DD61051860CDAC52BA0619CDD,SHA256=DA732B2B0069DEF455E128704301FDD295DA3C81A96C211D539FC59002539123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.253{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16BFB9BC35A70877BFDC41D34CF88B9C,SHA256=F86759F78070E9001A106F601DF96DF56751183FAD84F8E626FCB7BEBB1A9754,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.253{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B1D9D511E63048E3D0D6423622FF08,SHA256=D6EEFDEF70D32812C04A2822B598007C7588BAC32F48AC51B9E4807C5E587572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.253{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2C36C532B689F30535B010D072487BCA,SHA256=C6BBBD429DD5074DC1AF2FFEDCDC90BBCBE1E55EE6C87A688CD3A98B196C4049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.100{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIF748.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:47.000{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSIF68B.tmpMD5=FCCDC45CA17E5180B40EFC28052BAC39,SHA256=4AB37B0F9C5FE3505E1ECFE0764AAA04838CF81F9E0A402425E057F7A251E621,IMPHASH=620AD7AB8901854C91622E052544AEE7truetrue 354300x800000000000000028783Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:46.066{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028782Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:47.604{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894EF67D2A53D0B1C859A97CEF55D7B6,SHA256=C6CB2931CAE42A182F769BE531D59A5AE69935F630C7438A88656168C335D663,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.947{43EB4363-57A0-60F5-BF0A-00000000E501}7248NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\U1H1D89CUB\Microsoft.VisualBasic.Compatibility.Data.ni.dll.auxMD5=D1BD432185A358C7C6A020B22ADA0810,SHA256=92821963002B09B0F002E81906284F73CA0529ED5603C03C70B0D1663EBA27F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.947{43EB4363-57A0-60F5-BF0A-00000000E501}7248NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\U1H1D89CUB\Microsoft.VisualBasic.Compatibility.Data.ni.dllMD5=427D4E476D93C3CA7C47B645D87DF29A,SHA256=62866974443D9E9CFEED238B7801DD2166FE617DE3D52D8755A655FC89AF53E8,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000061018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:48.916{43EB4363-57A0-60F5-BF0A-00000000E501}7248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1c50-0\Microsoft.VisualBasic.Compatibility.Data.dll2021-07-19 10:44:48.916 23542300x800000000000000061017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.878{43EB4363-37A7-60F5-1600-00000000E501}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\BITFD6B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.863{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3E647E1CF2A6FB5D7C9731887B25960,SHA256=F6EEACF3D509B5ABD2260D9970FF0BB3A203D71C3CDBCD3EFE37E4E2B04A06DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.863{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=96087F96B736BCD6D2A95893B95D88AE,SHA256=0037A25AADB3A7F2900D1B3D9DFE179D9AECF14DB057B1E654EB903A906CE387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.847{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CE6676AD54ACDD047E073140D17C0E0,SHA256=F2725330AAF8BF41AA214206C836BC3A1AC8AE7674925BBE18CF889F74ECF210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.847{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32533243E614ED655EAF96EEB4930FA5,SHA256=859294A699E8E8C1FB1B07638DCFDA68CE6C33D8D37E41407671E1F121F5DEA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.847{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=404DC5E43211E6FE9D2F3E5016068F6D,SHA256=04D4DE9A61DBA899CEBF50F478F77B9ED74952EF798747723A6AEE4B3E77461C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.678{43EB4363-37A7-60F5-1600-00000000E501}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Users\ADMINI~1\AppData\Local\Temp\BITFD6B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.663{43EB4363-37A7-60F5-1600-00000000E501}12721340C:\Windows\system32\svchost.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\qmgr.dll+2e4ff|c:\windows\system32\qmgr.dll+2ce27|c:\windows\system32\qmgr.dll+1f3ce|c:\windows\system32\qmgr.dll+1f73c|c:\windows\system32\qmgr.dll+1f575|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x800000000000000061009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.663{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.663{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.647{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a167|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+5feaa|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+67b89 10341000x800000000000000061005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a167|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+5feaa|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+67b89 10341000x800000000000000061004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a 10341000x800000000000000061003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d 10341000x800000000000000061002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a167|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+5feaa|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+67b89 10341000x800000000000000061001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a167|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+5feaa|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+67b89 10341000x800000000000000061000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a 10341000x800000000000000060999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d 10341000x800000000000000060998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a167|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+5feaa|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+67b89 10341000x800000000000000060997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a167|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+5feaa|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+67b89 10341000x800000000000000060996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a 10341000x800000000000000060995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.631{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d 10341000x800000000000000060994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.616{43EB4363-37A7-60F5-1600-00000000E501}12721340C:\Windows\system32\svchost.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.616{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.616{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1e3dfa(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a167|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+5feaa|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+67b89 10341000x800000000000000060991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.616{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1e3dec(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d 10341000x800000000000000060990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.616{43EB4363-57A0-60F5-BE0A-00000000E501}76806212C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1e3dec(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\shcore.dll+12a10(wow64)|C:\Windows\System32\shcore.dll+36766(wow64)|C:\Windows\System32\shcore.dll+36625(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+29b8a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a27d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+2a167 10341000x800000000000000060989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.612{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.612{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.594{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.594{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.594{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.594{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.594{43EB4363-55C4-60F5-7E08-00000000E501}22882120C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000060982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.594{43EB4363-55C4-60F5-7E08-00000000E501}22882120C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000060981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.594{43EB4363-55C5-60F5-8808-00000000E501}46328152C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.594{43EB4363-55C5-60F5-8808-00000000E501}46328152C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.532{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c632.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.516{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.463{43EB4363-37A7-60F5-1000-00000000E501}368364C:\Windows\System32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.447{43EB4363-55C1-60F5-7208-00000000E501}45564356C:\Windows\system32\csrss.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.447{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+39e9aa|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4f2f9a|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327 10341000x800000000000000060974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.431{43EB4363-55C4-60F5-7D08-00000000E501}24645868C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000060973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.431{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2a3d79|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000060972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.431{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2ca112|C:\Windows\System32\windows.storage.dll+e3b85|C:\Windows\System32\windows.storage.dll+14cd96|C:\Windows\System32\windows.storage.dll+2a3cdb|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000060971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.394{43EB4363-55C4-60F5-7D08-00000000E501}24646100C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000060970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.394{43EB4363-55C4-60F5-7D08-00000000E501}24645868C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000060969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.378{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2a3d79|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000060968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.378{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2ca112|C:\Windows\System32\windows.storage.dll+e3b85|C:\Windows\System32\windows.storage.dll+14cd96|C:\Windows\System32\windows.storage.dll+2a3cdb|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000060967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.378{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2a3d79|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000060966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.378{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2ca112|C:\Windows\System32\windows.storage.dll+e3b85|C:\Windows\System32\windows.storage.dll+14cd96|C:\Windows\System32\windows.storage.dll+2a3cdb|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000060965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000060964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000060963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000060962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x800000000000000060961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000060960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000060959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000060958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x800000000000000060957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000060956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000060955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000060954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x800000000000000060953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-37A4-60F5-0A00-00000000E501}608668C:\Windows\system32\services.exe{43EB4363-57A0-60F5-C00A-00000000E501}5276C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.363{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A0-60F5-C00A-00000000E501}5276C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.347{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57A0-60F5-C00A-00000000E501}5276C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.347{43EB4363-37A4-60F5-0A00-00000000E501}6081020C:\Windows\system32\services.exe{43EB4363-57A0-60F5-C00A-00000000E501}5276C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.347{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.347{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.347{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.347{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.347{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.331{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.331{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.331{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000060941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.331{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000060940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.331{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.331{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.331{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.316{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.316{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+b7f48|C:\Windows\System32\windows.storage.dll+1a2cf9|C:\Windows\System32\windows.storage.dll+1a2b55|C:\Windows\System32\windows.storage.dll+b8ca6|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000060935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.316{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.316{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.316{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.316{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.316{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.294{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.294{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.294{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.294{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.294{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.294{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.278{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.278{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.278{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.278{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.278{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.278{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.278{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.278{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.216{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A0-60F5-BF0A-00000000E501}7248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.209{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57A0-60F5-BF0A-00000000E501}7248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.209{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A0-60F5-BF0A-00000000E501}7248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.169{43EB4363-37A7-60F5-1000-00000000E501}3684988C:\Windows\System32\svchost.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.146{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.145{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.144{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.144{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000060908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.079{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-579F-60F5-BD0A-00000000E501}7276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000060907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.046{43EB4363-5794-60F5-850A-00000000E501}7764NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-walMD5=61943A38658417C93E1B90F512AC294C,SHA256=99E1FF6CDEA9B035D155F940F20EF646EE78686E920CBB705A66B77837CB0D07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.043{43EB4363-5794-60F5-850A-00000000E501}7764NT AUTHORITY\SYSTEMC:\Program Files\Microsoft Office\root\integration\integrator.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\integrator.exe.db-shmMD5=B6B15A2126DB29FCA0C356F955807F72,SHA256=8E80EA404AFB4AC58EE3A67D3E7727B19CB3D8A1C94A1B4F560EA5DDDC1C8589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.020{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82A222F6089F7F814CCA1A7FC893E51E,SHA256=51E891F916BAC4936CF0C77FFD56630B99A2C2E4C62EE745AEC6F191CCE7F0C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.014{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=577A9488475BD39003948EB15D8DD238,SHA256=A1C155AAB3D5500FD4FB6D81D12FCC5BDEEB8B117D80418606E0F7E684CD4DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.010{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=6E8212EA1365BFF4B85A3CAEE2B861A8,SHA256=DE263C05E76AE05DA5C222E28F3098427531D97FFD279E83D93C58700C44F485,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.008{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFBFCEBD07118E6930.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000060901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.006{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF1769D28395A3DF65.TMPMD5=6E8212EA1365BFF4B85A3CAEE2B861A8,SHA256=DE263C05E76AE05DA5C222E28F3098427531D97FFD279E83D93C58700C44F485,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.000{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-579F-60F5-BD0A-00000000E501}7276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000060899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.000{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-579F-60F5-BD0A-00000000E501}7276C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028784Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:48.839{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=143B6C28380E72F783285B54700BCCCF,SHA256=85AB1F81D4568182B7D2EC4F4A229179C45348B37911FB7489F75632FFB937B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.991{43EB4363-57A1-60F5-C60A-00000000E501}7676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\machineTelemetryCache.otc.session-journalMD5=6CA90048958DA0A0088C9AECD9CCCFD3,SHA256=D51017831D62BC87A2E92B7E28A9364777CBFD5B657ED64100C74F9DE1EA4412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.975{43EB4363-57A1-60F5-C60A-00000000E501}7676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\machineTelemetryCache.otc.session-journalMD5=63A9CF88C0EEBE2B7B00FBDBD60022FC,SHA256=2A09B6A4BDC9A70AD22B8925B317071F94541481A9978CFE89B0CA033B01D74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.972{43EB4363-57A1-60F5-C60A-00000000E501}7676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\machineTelemetryCache.otc.session-journalMD5=0716BCA2EC7C7534750BFA6D3D844EE9,SHA256=C9BF0D3989917A9C6B4E018F549066C9D9D37CCABECCC69F7EA33DC2BF9C6E4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.954{43EB4363-37A7-60F5-1600-00000000E501}12721340C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.954{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.922{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.922{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.907{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.891{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.891{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.891{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.891{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.891{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.891{43EB4363-37A7-60F5-1600-00000000E501}12721340C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\seclogon.dll+17dc|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.899{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe18.151.0729.0013Microsoft OneDrive SetupMicrosoft OneDriveMicrosoft CorporationOneDriveSetup.exeC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe /silent /peruser /childprocess /enableOMCTelemetry C:\Windows\system32\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=11D5E2EF5D9A0E009DF8CC61F4706982,SHA256=17A5F35C30B9D1DBB651686407DBF7D1BDCC685426581AF6796B364550E7FE70,IMPHASH=059AC5CD530DD28EAD72A380619D30D7{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe"C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe" /silent 10341000x800000000000000061069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.891{43EB4363-37A7-60F5-1000-00000000E501}3684988C:\Windows\System32\svchost.exe{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.891{43EB4363-37A7-60F5-1600-00000000E501}12721340C:\Windows\system32\svchost.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.891{43EB4363-37A7-60F5-1600-00000000E501}12721340C:\Windows\system32\svchost.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.807{43EB4363-37A7-60F5-1600-00000000E501}12723472C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.807{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.791{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.791{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.775{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C70A-00000000E501}2496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.775{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.775{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.775{43EB4363-57A0-60F5-BE0A-00000000E501}76807904C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+da5f9|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e3f4a|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e222d|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000061058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.774{43EB4363-37A7-60F5-1000-00000000E501}368364C:\Windows\System32\svchost.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.754{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.754{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.754{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.754{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.754{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57A1-60F5-C70A-00000000E501}2496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.754{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A1-60F5-C70A-00000000E501}2496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.754{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.754{43EB4363-57A0-60F5-BE0A-00000000E501}76804852C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+12425f(wow64)|C:\Windows\System32\windows.storage.dll+123f7f(wow64)|C:\Windows\System32\windows.storage.dll+123cc7(wow64)|C:\Windows\System32\windows.storage.dll+124cb5(wow64)|C:\Windows\System32\windows.storage.dll+123af1(wow64)|C:\Windows\System32\windows.storage.dll+125eba(wow64)|C:\Windows\System32\windows.storage.dll+1262b7(wow64)|C:\Windows\System32\windows.storage.dll+1258e5(wow64)|C:\Windows\System32\SHELL32.dll+18be74(wow64)|C:\Windows\System32\SHELL32.dll+18bd4e(wow64)|C:\Windows\System32\SHELL32.dll+1ad65a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000061049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.764{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe18.151.0729.0013Microsoft OneDrive SetupMicrosoft OneDriveMicrosoft CorporationOneDriveSetup.exe"C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe" C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe /silent /permachine /silent /childprocess /enableOMCTelemetry /cusid:S-1-5-21-4085236968-3260266398-3930693997-500 C:\Temp\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=11D5E2EF5D9A0E009DF8CC61F4706982,SHA256=17A5F35C30B9D1DBB651686407DBF7D1BDCC685426581AF6796B364550E7FE70,IMPHASH=059AC5CD530DD28EAD72A380619D30D7{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe"C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe" /silent 10341000x800000000000000061048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.754{43EB4363-37A7-60F5-1000-00000000E501}3684988C:\Windows\System32\svchost.exe{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:49.722{43EB4363-57A1-60F5-C50A-00000000E501}7172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1c04-0\Microsoft.VisualStudio.Tools.Applications.Runtime.dll2021-07-19 10:44:49.722 10341000x800000000000000061046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.672{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C50A-00000000E501}7172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000061045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.016{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000061044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.661{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57A1-60F5-C50A-00000000E501}7172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.660{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A1-60F5-C50A-00000000E501}7172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.643{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=545A7587CE373EAAE5789D00B72F016B,SHA256=650BF60AB2A7F6FA4BD80DAFAC446A7F9BAA1E3E787EDA37DAA9CD49A0BA1ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.642{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8D26E25F48B4C861D82F7EB02BDB1B8F,SHA256=203A5E7CC6FA10C8D8918FB3A51C733E99304AF9E061C6B124E63E3879841FA6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.619{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C40A-00000000E501}5624C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.593{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57A1-60F5-C40A-00000000E501}5624C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.593{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A1-60F5-C40A-00000000E501}5624C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:49.562{43EB4363-57A1-60F5-C30A-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1e50-0\Microsoft.VisualStudio.Tools.Applications.Hosting.dll2021-07-19 10:44:49.562 10341000x800000000000000061036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.262{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C30A-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.262{43EB4363-57A0-60F5-BE0A-00000000E501}7680ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpFFA3.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.247{43EB4363-57A0-60F5-BE0A-00000000E501}7680ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\parentTelemetryCache.otc.session-journalMD5=0CD429DC3CEE656B923C4F401747F35A,SHA256=7BDFC461856CBC1A4D457167DD6777998E4F8D55B6717835B77F18268929DF30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.247{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57A1-60F5-C30A-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.247{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A1-60F5-C30A-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.247{43EB4363-57A0-60F5-BE0A-00000000E501}7680ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\parentTelemetryCache.otc.session-journalMD5=E3D98C0A9A29FDEF2320FFE25576172A,SHA256=A1D85C5363D2792E5C9C7EB5D4473EDA8D6C83FBEEA77C0290D438BAA587B33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.231{43EB4363-57A0-60F5-BE0A-00000000E501}7680ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\parentTelemetryCache.otc.session-journalMD5=0716BE98D5BE343CEC67936902DF3E03,SHA256=ED1B4B449FCBF06B612821FC7034DAD573EF10380F5FDA9DC1E401B1A525AA45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.231{43EB4363-57A0-60F5-BE0A-00000000E501}7680ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\parentTelemetryCache.otc.session-journalMD5=43ABA8FE2FDE7C6194FA27EC43FAAF3C,SHA256=43D47C3E463DECA08EFEE7F1EDDB431201F598EACDFA2655CCB071770EE894C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.216{43EB4363-57A0-60F5-BE0A-00000000E501}7680ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\parentTelemetryCache.otc.session-journalMD5=1B10A413301AAE90BB3356317378D6E4,SHA256=23A47FC16F0BC7615C00F6039284DB784A1898D9D53DDB985E3370E9FBE6C0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.212{43EB4363-57A0-60F5-BE0A-00000000E501}7680ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\parentTelemetryCache.otc.session-journalMD5=BDD5849479E4A271877E2D6014A41285,SHA256=77782C69CC901239979795FD59C80E9D235AB47221715CCAC1377FF68E45BAE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.063{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C20A-00000000E501}224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.047{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57A1-60F5-C20A-00000000E501}224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.047{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A1-60F5-C20A-00000000E501}224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.016{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C10A-00000000E501}8056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.016{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57A1-60F5-C10A-00000000E501}8056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.016{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A1-60F5-C10A-00000000E501}8056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.872{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A2-60F5-CD0A-00000000E501}6704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.857{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57A2-60F5-CD0A-00000000E501}6704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.856{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A2-60F5-CD0A-00000000E501}6704C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:50.825{43EB4363-57A2-60F5-CC0A-00000000E501}7480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1d38-0\Microsoft.VisualStudio.Tools.Office.ContainerControl.dll2021-07-19 10:44:50.825 354300x800000000000000061134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.680{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65108-false52.142.114.176-443https 354300x800000000000000061133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.639{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local58434- 23542300x800000000000000061132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.680{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCA6B37BE9C8C2375C4D5901B686590,SHA256=53FAB4EC6AC7B54EE80B9D36473553989F9220E75800E5111D436518517BACC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.675{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57A2-60F5-CA0A-00000000E501}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.672{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.672{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.672{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.672{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.672{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57A2-60F5-CA0A-00000000E501}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.671{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57A2-60F5-CA0A-00000000E501}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.473{43EB4363-57A2-60F5-CA0A-00000000E501}6200C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000061123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.667{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A2-60F5-CC0A-00000000E501}7480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.652{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57A2-60F5-CC0A-00000000E501}7480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.651{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A2-60F5-CC0A-00000000E501}7480C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.614{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A2-60F5-CB0A-00000000E501}7768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.587{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57A2-60F5-CB0A-00000000E501}7768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.587{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A2-60F5-CB0A-00000000E501}7768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:50.531{43EB4363-57A2-60F5-C90A-00000000E501}8168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1fe8-0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.dll2021-07-19 10:44:50.531 10341000x800000000000000061116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.512{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.512{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.512{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.512{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000061112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:44:50.511{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\officesetup.exe|4652edac3f357508\BinProductVersion16.0.13801.0 13241300x800000000000000061111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:44:50.511{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\officesetup.exe|4652edac3f357508\LinkDate02/27/2021 04:29:24 13241300x800000000000000061110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:50.511{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\officesetup.exe|4652edac3f357508\Publishermicrosoft corporation 13241300x800000000000000061109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:44:50.511{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\officesetup.exe|4652edac3f357508\LowerCaseLongPathc:\temp\officesetup.exe 23542300x800000000000000061108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.490{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3AD908B13F5FE128E2C3D0170A3562AA,SHA256=02A7BAC48C2637674FDD8ECC1352A26C453773C0682EB95F26BFB369ACE3CA97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.478{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A8B23101E872333AB801E8D2F3B27F9,SHA256=964EEAE7B6BA94CC41389A29D2CD4A181A7C822FC44A468B6BF7942170E654F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.474{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14174937D75D45B20145C43BD83481A1,SHA256=4EF4A5A70F4462BE627119093DB6117F37382EA1C8538DB138146E8320A8D787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.473{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5F34126E59473BBDBE34505E96A2672B,SHA256=7664AD752D7928BF154463C84C54D3007D1B68B71F81FAFA19B54495BD43D3AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.455{43EB4363-37A7-60F5-1000-00000000E501}368364C:\Windows\System32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+2b221|c:\windows\system32\pcasvc.dll+f70d|c:\windows\system32\pcasvc.dll+20e94|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.418{43EB4363-56CD-60F5-F608-00000000E501}75487988C:\Windows\system32\msiexec.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19e41d|C:\Windows\system32\Msi.dll+2eaae|C:\Windows\system32\Msi.dll+47505|C:\Windows\system32\Msi.dll+10a8c5|C:\Windows\system32\Msi.dll+109ae6|C:\Windows\system32\Msi.dll+f407f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.395{43EB4363-37A7-60F5-1400-00000000E501}11004336C:\Windows\system32\svchost.exe{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000061101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:50.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\000027bb02f51e48dc3e0db3390b300af68d00000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 23542300x800000000000000061100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.206{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmp34B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.191{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-577D-60F5-190A-00000000E501}7884C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.191{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-577D-60F5-190A-00000000E501}7884C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.191{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\userTelemetryCache.otc.session-journalMD5=B06F7CAC2606458731BE3E420B6AD37F,SHA256=389434284A37DAE1D93DBF6F44381296FA7FF5997D14A2ED6EB671324B21F1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.175{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\userTelemetryCache.otc.session-journalMD5=4B1F90347A070214C5B2B612A4A811FB,SHA256=5EDF0B60709E3E0CEED10624C2C2A0EC295F237E5C127AB22191EA75C8771F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.175{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\userTelemetryCache.otc.session-journalMD5=D6E3FF947A39A3F48EB9B2D6CDAB3BB5,SHA256=637F688BD8BEBFFC4029B8D0CC552FB5F70963FB1FC3732FB82C6E799E413186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.153{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\userTelemetryCache.otc.session-journalMD5=32D11381342DF2A0884A65E94D72F4DE,SHA256=3B098FD6416BBBB0F383AB7DE508214CB346B95E240D45C88EB462C20B721ED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.153{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\userTelemetryCache.otc.session-journalMD5=9E37B48A7C1A435F9B202E9C5E530FE1,SHA256=5EAD5BFB770930A98C4AB75CBD785B69623FB766F5B92FF27A57BD049EED8785,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.138{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A2-60F5-C90A-00000000E501}8168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.122{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57A2-60F5-C90A-00000000E501}8168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.122{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57A2-60F5-C90A-00000000E501}8168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.122{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\userTelemetryCache.otc.session-journalMD5=120991B7DC5618558521B8C287BE8B7F,SHA256=FD89A13735A31AA14A7222B249EF557421E40354EA2F5551AED6F0993EFD48BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.022{43EB4363-57A1-60F5-C60A-00000000E501}7676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmp29F.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.007{43EB4363-57A1-60F5-C60A-00000000E501}7676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\machineTelemetryCache.otc.session-journalMD5=26817CCBB934DF1AAD5AFA933903D59A,SHA256=C8496249BC6D1791038635BEDC0FADB8C48F82182843655F59A496B8D2BFC61E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.007{43EB4363-57A1-60F5-C60A-00000000E501}7676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\machineTelemetryCache.otc.session-journalMD5=00396586CC7FD6F4080D8B73396375E1,SHA256=A57A842E09E71FFA2393EBAEF3554F7A77A6C6C95924BA90A0C2DA1AEC931AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:49.991{43EB4363-57A1-60F5-C60A-00000000E501}7676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\logs\setup\machineTelemetryCache.otc.session-journalMD5=E315F6D9D1905ED502E477B2C7F46E27,SHA256=D943952D408CC1D27438B8DBBD85D94DC34BB9803BE7BFB05EA9837988F8946E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028785Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:50.011{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E05DCE213910F3880D1C88E455919D93,SHA256=021B25C13D83610CAF184427F80D16218E4EE18A895B92FB220ED024E53D9001,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:51.886{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ipcsecproc.dll2021-07-19 10:44:51.347 10341000x800000000000000061152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:51.790{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:51.790{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:51.605{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:51.605{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:51.596{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57A3-60F5-CE0A-00000000E501}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:51.596{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57A3-60F5-CE0A-00000000E501}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:51.308{43EB4363-57A3-60F5-CE0A-00000000E501}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000061145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.767{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65109-false104.79.89.3a104-79-89-3.deploy.static.akamaitechnologies.com443https 22542200x800000000000000061144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:48.767{43EB4363-37A7-60F5-1600-00000000E501}1272oneclient.sfx.ms0type: 5 oneclient.sfx.ms.edgekey.net;type: 5 e9659.dspg.akamaiedge.net;::ffff:104.79.89.3;C:\Windows\System32\svchost.exe 11241100x800000000000000061143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:51.406{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-synch-l1-2-0.dll2021-07-19 10:44:51.123 13241300x800000000000000061142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:51.347{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\000070aa163b48d93a6fb1c459f613fcd65f00000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 11241100x800000000000000061141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:51.199{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ipcfile.dll2021-07-19 10:44:51.032 11241100x800000000000000061140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:51.031{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\adal.dll2021-07-19 10:44:51.023 11241100x800000000000000061139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:50.980{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-synch-l1-1-0.dll2021-07-19 10:44:50.980 23542300x800000000000000028786Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:51.136{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611BD49109BEC36287B1FD9C08F8F9A6,SHA256=DBDF84EBE840BC9A7161F009B7D77FEC7400128D3C1414B4547C6A5356B6FC53,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:52.688{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-errorhandling-l1-1-0.dll2021-07-19 10:44:52.661 11241100x800000000000000061174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:52.643{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-util-l1-1-0.dll2021-07-19 10:44:52.468 11241100x800000000000000061173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:52.642{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-debug-l1-1-0.dll2021-07-19 10:44:52.374 11241100x800000000000000061172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:52.600{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5Qml.dll2021-07-19 10:44:52.405 10341000x800000000000000061171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:52.558{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:52.554{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:52.554{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:52.554{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:52.554{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57A4-60F5-CF0A-00000000E501}7564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:52.554{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57A4-60F5-CF0A-00000000E501}7564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:52.102{43EB4363-57A4-60F5-CF0A-00000000E501}7564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000061164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:52.405{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls.2\qtquickcontrols2plugin.dll2021-07-19 10:44:52.240 11241100x800000000000000061163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:52.339{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-timezone-l1-1-0.dll2021-07-19 10:44:51.996 11241100x800000000000000061162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:52.321{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\CollectSyncLogs.bat2021-07-19 10:44:52.081 11241100x800000000000000061161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:52.321{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-datetime-l1-1-0.dll2021-07-19 10:44:51.987 11241100x800000000000000061160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:51.987{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\IRMProtectors\microsoft.office.irm.pdfprotector.dll2021-07-19 10:44:51.736 11241100x800000000000000061159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:51.972{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-sysinfo-l1-1-0.dll2021-07-19 10:44:51.627 23542300x800000000000000061158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:51.972{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=545A7587CE373EAAE5789D00B72F016B,SHA256=650BF60AB2A7F6FA4BD80DAFAC446A7F9BAA1E3E787EDA37DAA9CD49A0BA1ED1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:51.966{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-console-l1-1-0.dll2021-07-19 10:44:51.347 11241100x800000000000000061156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:51.964{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\vcruntime140.dll2021-07-19 10:44:51.845 23542300x800000000000000061155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:51.944{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=88C491F305728E96261070689071EDDA,SHA256=8678E566EF4A22E8750EA92A0DF2F3C14A786B6A367DCFDD27F8C0109F5AF937,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:51.944{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5PrintSupport.dll2021-07-19 10:44:51.622 23542300x800000000000000028787Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:52.354{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E62D28C425C91A25EA8B434965ACEC,SHA256=2E7BBF3A52AD19D9E5B2CFE7B53B3C14555BCAE2A5E78683C46BE8E14B81FB5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.841{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-memory-l1-1-0.dll2021-07-19 10:44:53.840 10341000x800000000000000061207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.840{43EB4363-57A3-60F5-CE0A-00000000E501}23767808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000061206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:51.637{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local52944- 11241100x800000000000000061205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.789{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ETWlog.dll2021-07-19 10:44:53.789 23542300x800000000000000028789Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:53.386{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A4B4C0CF473EE57A7E26722408361D,SHA256=557D31B5D0F9644CB8CC95494140577BDD37FF56448DEB848AC94E086704FD4A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.788{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-heap-l1-1-0.dll2021-07-19 10:44:53.654 11241100x800000000000000061203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.788{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-localization-l1-2-0.dll2021-07-19 10:44:53.658 11241100x800000000000000061202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.758{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\libEGL.dll2021-07-19 10:44:53.716 11241100x800000000000000061201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.758{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\WnsClientApi.dll2021-07-19 10:44:53.717 23542300x800000000000000061200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.695{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693D49808E0AE2C86B5D21211C70919D,SHA256=2857E8C1ECD57794093321EF7DA0B449E2D364F6BC6F9081E40268280BEAD74A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.666{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.659{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\default\https+++www.google.com\idb\548905059db.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.628{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-libraryloader-l1-1-0.dll2021-07-19 10:44:53.628 11241100x800000000000000061196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.612{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-interlocked-l1-1-0.dll2021-07-19 10:44:53.612 11241100x800000000000000061195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.595{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-heap-l1-1-0.dll2021-07-19 10:44:53.595 11241100x800000000000000061194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.578{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-handle-l1-1-0.dll2021-07-19 10:44:53.578 11241100x800000000000000061193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.549{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-file-l2-1-0.dll2021-07-19 10:44:53.549 11241100x800000000000000061192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.462{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5Quick.dll2021-07-19 10:44:53.462 11241100x800000000000000061191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.318{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\libeay32.dll2021-07-19 10:44:53.317 11241100x800000000000000061190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.312{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-file-l1-2-0.dll2021-07-19 10:44:53.254 23542300x800000000000000061189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.307{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\default\moz-extension+++510fda6f-315b-48e2-9a2f-e908a9796e0b^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.240{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-filesystem-l1-1-0.dll2021-07-19 10:44:53.052 23542300x800000000000000061187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.052{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1653105BA530C0F540CC71C5C3A329FB,SHA256=80614F770B78B8CC7263DBABC557057AE545052F1A63E4A9E95AB7942F0FB58C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.030{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A439EC2C8DA31D6A14F9CC32F73F9402,SHA256=E3FB31093425449762CACB6762996E7BD19A5C2C07D09FE5E1F091C2F93D8217,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.558{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57742- 354300x800000000000000061184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:50.528{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local57742- 11241100x800000000000000061183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.014{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-environment-l1-1-0.dll2021-07-19 10:44:53.014 23542300x800000000000000061182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.013{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSID05.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.013{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:52.890{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-file-l1-1-0.dll2021-07-19 10:44:52.855 11241100x800000000000000061179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:52.877{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-convert-l1-1-0.dll2021-07-19 10:44:52.735 10341000x800000000000000061178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:52.858{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57A4-60F5-CF0A-00000000E501}7564C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:52.755{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57A3-60F5-CE0A-00000000E501}2376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:52.688{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-conio-l1-1-0.dll2021-07-19 10:44:52.688 354300x800000000000000028788Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:52.019{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028790Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:54.604{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85D61C9C18E72731741D2B2CFB9A2367,SHA256=BF02CE648241B7F846A41E7E2640698471F431C30796A8ED880ED22BE9AB6452,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.828{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-multibyte-l1-1-0.dll2021-07-19 10:44:54.827 11241100x800000000000000061236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.826{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncApi.dll2021-07-19 10:44:54.826 11241100x800000000000000061235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.804{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoggingPlatform.dll2021-07-19 10:44:54.804 11241100x800000000000000061234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.754{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSync.Resources.dll2021-07-19 10:44:54.754 11241100x800000000000000061233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.752{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-profile-l1-1-0.dll2021-07-19 10:44:54.752 11241100x800000000000000061232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.735{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-processthreads-l1-1-1.dll2021-07-19 10:44:54.735 11241100x800000000000000061231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.706{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-processthreads-l1-1-0.dll2021-07-19 10:44:54.705 11241100x800000000000000061230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.706{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSync.LocalizedResources.dll2021-07-19 10:44:54.651 11241100x800000000000000061229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.634{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-processenvironment-l1-1-0.dll2021-07-19 10:44:54.634 23542300x800000000000000061228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.555{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806B19316AADC151E41B28E166721683,SHA256=63B2E222CD0A3350EC5F199D08F9F4E66FBB192BF41B545CC844380739A997F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.532{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57A6-60F5-D00A-00000000E501}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.508{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\default\https+++www.google.com\idb\548905059db.sqliteMD5=8A58373E4CB22B3C2FD04B3AAED1C608,SHA256=DA3D9A9F285EBE69BB1DFE9E6D5D09C7F50C31ACFB3BACC5D25EE230145034D1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.508{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-math-l1-1-0.dll2021-07-19 10:44:54.241 11241100x800000000000000061224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.508{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5QuickControls2.dll2021-07-19 10:44:54.288 10341000x800000000000000061223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.486{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.486{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.473{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.472{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.435{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57A6-60F5-D00A-00000000E501}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.434{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57A6-60F5-D00A-00000000E501}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.169{43EB4363-57A6-60F5-D00A-00000000E501}6712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000061216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.239{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuthLib.dll2021-07-19 10:44:54.121 11241100x800000000000000061215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.191{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-namedpipe-l1-1-0.dll2021-07-19 10:44:54.100 11241100x800000000000000061214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:54.099{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-locale-l1-1-0.dll2021-07-19 10:44:53.973 23542300x800000000000000061213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.099{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.098{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\default\https+++www.google.com\.metadata-v2MD5=501DC4DA94BC9FC2A292105C59A7C086,SHA256=FB617530CBE08A5A48221CDAC4CFA7DFE050800CBAE6A141A546058AAECA5141,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:53.973{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\libGLESv2.dll2021-07-19 10:44:53.973 11241100x800000000000000061210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:44:53.842{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe2021-07-19 10:44:53.842 23542300x800000000000000061209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.842{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F96D9FF12A5AB9162D24304CBAF0C69C,SHA256=57ECBA51A035C8525062DB1160D52BD6C82E543F42027CA8C8FC56F38F513AD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.594{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65110-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000061283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:53.594{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65110-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 23542300x800000000000000061282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.837{43EB4363-55C5-60F5-8808-00000000E501}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-explorer-notification--d1f6275c-b9a0-a25e-7f73-51b54487be4c-_5_0.pngMD5=00E5FCFD833151F7CBDE607E2F7AFEB4,SHA256=B80192AAABE007BAECD0603E3CE183E9D554B8A6B0411D20716ACFA086AE3035,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.763{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-string-l1-1-0.dll2021-07-19 10:44:55.763 10341000x800000000000000061280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.763{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.762{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.734{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncFALWB.dll2021-07-19 10:44:55.734 10341000x800000000000000061277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.693{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.692{43EB4363-55C5-60F5-8808-00000000E501}46328152C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.692{43EB4363-55C5-60F5-8808-00000000E501}46328152C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.691{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000061273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.690{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 11241100x800000000000000061272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.664{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-stdio-l1-1-0.dll2021-07-19 10:44:55.660 10341000x800000000000000061271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.642{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.642{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.641{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.641{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\msipc.dll2021-07-19 10:44:55.592 10341000x800000000000000061267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.612{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.612{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-runtime-l1-1-0.dll2021-07-19 10:44:55.437 11241100x800000000000000061265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.612{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncFAL.dll2021-07-19 10:44:55.551 23542300x800000000000000061264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.612{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C14191FAEE87EB0A3FC634E63201886F,SHA256=F2D9011D22A6015C4BF9AB693C1515C959CD3A2B13F161F2046B75D45B2183EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.573{43EB4363-55C4-60F5-7E08-00000000E501}2288388C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000061262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.572{43EB4363-55C4-60F5-7E08-00000000E501}2288388C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000061261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.571{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57A6-60F5-D10A-00000000E501}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.553{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.553{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.552{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.552{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.552{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.552{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.548{43EB4363-55C4-60F5-7E08-00000000E501}22882120C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000061253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.542{43EB4363-55C4-60F5-7E08-00000000E501}22882120C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 11241100x800000000000000061252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.497{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-string-l1-1-0.dll2021-07-19 10:44:55.281 11241100x800000000000000061251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:44:55.470{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe2021-07-19 10:44:55.328 11241100x800000000000000061250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.418{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-process-l1-1-0.dll2021-07-19 10:44:55.159 11241100x800000000000000061249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.418{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5QuickTemplates2.dll2021-07-19 10:44:55.282 10341000x800000000000000061248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.315{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.315{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.280{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.280{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.231{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogUploader.dll2021-07-19 10:44:55.120 11241100x800000000000000061243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.164{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncClient.dll2021-07-19 10:44:55.037 11241100x800000000000000061242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.135{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-private-l1-1-0.dll2021-07-19 10:44:54.983 11241100x800000000000000061241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:55.135{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-core-rtlsupport-l1-1-0.dll2021-07-19 10:44:54.883 10341000x800000000000000061240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.960{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57A6-60F5-D10A-00000000E501}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.960{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57A6-60F5-D10A-00000000E501}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.959{43EB4363-57A6-60F5-D10A-00000000E501}7140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028804Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.684{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B4ED417EDBC0944937F18C97A636B69,SHA256=3CB966ACDAC23AF93582D992E974EB30645BD08F8FA234D9DAB75679290362E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028803Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57A7-60F5-0206-00000000E601}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028802Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028801Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028800Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028799Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028798Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028797Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028796Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028795Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028794Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028793Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-57A7-60F5-0206-00000000E601}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028792Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.526{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57A7-60F5-0206-00000000E601}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028791Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:55.527{53AF6CEB-57A7-60F5-0206-00000000E601}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000061311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:54.242{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000061310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.703{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57A8-60F5-D20A-00000000E501}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.689{43EB4363-37B7-60F5-2800-00000000E501}28565152C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000061308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.689{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.689{43EB4363-37B7-60F5-2800-00000000E501}28565152C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000061306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.689{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.689{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000061304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.687{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3114B8C5B3A87F3476A49CBAECF8BE5,SHA256=44E69DE5A3DCBAEC46B49BA8550BAC53B21DBDEBED3C79A75737214F62EE9C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.600{43EB4363-55C5-60F5-8808-00000000E501}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\ActionCenterCache\windows-systemtoast-securityandmaintenance_1_0.pngMD5=099BA37F81C044F6B2609537FDB7D872,SHA256=8C98C856E4D43F705FF9A5C9A55F92E1885765654912B4C75385C3EA2FDEF4A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.577{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.577{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.576{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.576{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.443{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57A8-60F5-D20A-00000000E501}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.443{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57A8-60F5-D20A-00000000E501}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.260{43EB4363-57A8-60F5-D20A-00000000E501}8056C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000061295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:56.365{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll2021-07-19 10:44:56.364 11241100x800000000000000061294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:56.230{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\msvcp140.dll2021-07-19 10:44:56.208 11241100x800000000000000061293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:56.169{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-utility-l1-1-0.dll2021-07-19 10:44:56.169 10341000x800000000000000061292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.154{43EB4363-57A6-60F5-D00A-00000000E501}67127268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:56.038{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncSessions.dll2021-07-19 10:44:56.038 11241100x800000000000000061290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:56.030{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\api-ms-win-crt-time-l1-1-0.dll2021-07-19 10:44:56.024 11241100x800000000000000061289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:56.030{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5Svg.dll2021-07-19 10:44:56.024 10341000x800000000000000028834Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.870{53AF6CEB-57A8-60F5-0406-00000000E601}30483360C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028833Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54366F22DFCBF147B95C159D6D879E17,SHA256=C95DB18E7CACED6AA25F339C1E448FBAD1D3C7693D85C05CAE4ED755E4C172DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028832Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57A8-60F5-0406-00000000E601}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028831Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028830Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028829Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028828Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028827Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028826Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028825Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028824Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028823Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-57A8-60F5-0406-00000000E601}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028822Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028821Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.714{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57A8-60F5-0406-00000000E601}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028820Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.715{53AF6CEB-57A8-60F5-0406-00000000E601}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000061288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.007{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.948{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86160C4F00687542C1040FC8E12521CE,SHA256=8C5EB680EE014ABCFEDBCD9E260154DAF7DFCD6B9FDD3D25760B97A253C97031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.870{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\y7l8cnva.default-release\cache2\entries\F18D85F52EBBBA2AB081EF739ED0D6E8A76D497CMD5=C762F600E99D9F6296E0FF8F559C506C,SHA256=A52867A63746E8111CCAF71BBC2ED63E840FE1A1C5BE44921F38A1BDC0AEDC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:55.853{43EB4363-55C5-60F5-8808-00000000E501}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\ADMINI~1\AppData\Local\Temp\{8AA2FEEE-D638-4BEC-8FC4-479150A45D7B}.pngMD5=00E5FCFD833151F7CBDE607E2F7AFEB4,SHA256=B80192AAABE007BAECD0603E3CE183E9D554B8A6B0411D20716ACFA086AE3035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028819Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.589{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=347C1C1B5191AFEAD499D453CE1D1ACE,SHA256=BD4F70E0342DF39CFA482BC2C3959FC0A54FBCCE2FBA2DE02617329774B0FD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028818Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.589{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8D95A7DB23FEE1C1AA57FCA3A107487,SHA256=7E5F9D004F757A4F5F645EAF70EC564524ED85054941C73FC07414EB19C512D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028817Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57A8-60F5-0306-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028816Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028815Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028814Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028813Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028812Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028811Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028810Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028809Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028808Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028807Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-57A8-60F5-0306-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028806Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.089{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57A8-60F5-0306-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028805Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:56.090{53AF6CEB-57A8-60F5-0306-00000000E601}2936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000028850Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.979{53AF6CEB-57A9-60F5-0506-00000000E601}963176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028849Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57A9-60F5-0506-00000000E601}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028848Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028847Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028846Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028845Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028844Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028843Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028842Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028841Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028840Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028839Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-57A9-60F5-0506-00000000E601}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028838Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57A9-60F5-0506-00000000E601}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028837Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.808{53AF6CEB-57A9-60F5-0506-00000000E601}96C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028836Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.745{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B3CF059C154F9E9C0337D305BF8556,SHA256=80E3B8825862E9DC20EEFCCFD77B47A1421BBB76A55FB2ECC11D213AF20CA057,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.991{43EB4363-55C4-60F5-7E08-00000000E501}2288388C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:57.988{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5WinExtras.dll2021-07-19 10:44:57.986 23542300x800000000000000061329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.679{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F488B46660B3473935BFDA1E3101060,SHA256=3E285F382589B7D727D03AC4AA9FCC09C7D5E318FE3F9B9A80FDCF31CA94C46E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.679{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57A9-60F5-D30A-00000000E501}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.386{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.385{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.363{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.363{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.342{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57A9-60F5-D30A-00000000E501}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.342{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57A9-60F5-D30A-00000000E501}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.122{43EB4363-57A9-60F5-D30A-00000000E501}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000061320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.340{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c634.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.143{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFD64C6B956FFEC902.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 11241100x800000000000000061318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:57.135{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5Widgets.dll2021-07-19 10:44:57.087 13241300x800000000000000061317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:57.098{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\000068583dc536ea8c3daf81bdbdf12127d400000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 23542300x800000000000000061316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.079{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF91A8DD94B8CFA7E0.TMPMD5=D2BA2CC170C56652785B77E5B1C0ADC8,SHA256=3939D13D0DBE68025C42BB2643E6618EE472A74C715C012EC7B5A737375A4A1D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:57.075{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncViews.dll2021-07-19 10:44:57.065 11241100x800000000000000061314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:44:57.046{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDrive.exe2021-07-19 10:44:56.969 23542300x800000000000000061313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:57.043{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D84D7AB564700D68887A8C35238021,SHA256=FC48CB1DF88C9EA3D91CC62D0BBE54FEEA4109FD42387B3670CB07609F46402B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:56.879{43EB4363-57A6-60F5-D10A-00000000E501}71407524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028835Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.729{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=347C1C1B5191AFEAD499D453CE1D1ACE,SHA256=BD4F70E0342DF39CFA482BC2C3959FC0A54FBCCE2FBA2DE02617329774B0FD28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028856Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028855Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-57AA-60F5-0606-00000000E601}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028854Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57AA-60F5-0606-00000000E601}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028853Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.996{53AF6CEB-57AA-60F5-0606-00000000E601}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028852Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.979{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4BADD859AAA7F5A22BCF22C212621C,SHA256=7E2C8A87C659C45FC029D57E0BA95010FE3B6F1ADFF7377779DFF5F2018106B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:58.867{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=073EC0E2FD2E0F5D15945050472FE88A,SHA256=2C957F07B384AB05B683DEA52B98C09D766A39ADE86A6A91E6763E51C0B8B2C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:58.686{43EB4363-57A9-60F5-D30A-00000000E501}77167840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028851Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.823{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=964B18C4ACF28FE0CAD2F7E2FF2437F9,SHA256=36258862713A15B64959AAE92C6EB4EA501A7AD27853ADA813F3EE8453D6C01F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:58.436{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EE5B466D9AFF4CCA38CC6329ECB38EC,SHA256=B27E1D550D62DC0803098351BDCE7AFB389D5645D6BF4DD0C77CB6B74676F95D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:44:58.214{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Teams Installer\Teams.exe2021-07-19 10:44:58.214 10341000x800000000000000061336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:58.174{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:58.147{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:58.048{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:58.048{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:58.020{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.975{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57AB-60F5-D40A-00000000E501}8064C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.936{43EB4363-55C1-60F5-7208-00000000E501}45563352C:\Windows\system32\csrss.exe{43EB4363-57AB-60F5-D40A-00000000E501}8064C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000061358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.883{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D84B43FF3703CDA3E22EEBD64875888,SHA256=832D6B68557AC2C43BC4AF1FD4862E432B2FDE7F61296576322A5AA7FBE88D87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028881Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.839{53AF6CEB-57AB-60F5-0706-00000000E601}38682108C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028880Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57AB-60F5-0706-00000000E601}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028879Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028878Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028877Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028876Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028875Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028874Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028873Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028872Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028871Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028870Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-57AB-60F5-0706-00000000E601}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028869Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.667{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57AB-60F5-0706-00000000E601}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028868Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.668{53AF6CEB-57AB-60F5-0706-00000000E601}3868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000028867Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:57.925{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028866Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:59.151{53AF6CEB-57AA-60F5-0606-00000000E601}576572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028865Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57AA-60F5-0606-00000000E601}576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028864Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028863Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028862Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028861Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028860Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028859Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028858Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028857Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:44:58.995{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:59.681{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5Core.dll2021-07-19 10:44:59.680 10341000x800000000000000061356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.672{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.672{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.651{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.650{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.635{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57AB-60F5-D40A-00000000E501}8064C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.635{43EB4363-56CD-60F5-F608-00000000E501}75487824C:\Windows\system32\msiexec.exe{43EB4363-57AB-60F5-D40A-00000000E501}8064C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba6f5|C:\Windows\system32\Msi.dll+16c8f4|C:\Windows\system32\Msi.dll+16cf6c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.635{43EB4363-57AB-60F5-D40A-00000000E501}8064C:\Windows\SysWOW64\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6430B36086B08B4342165C9C725D2782 E Global\MSI0000C:\Windows\SysWOW64\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e72SystemMD5=0BDEAEA7BB4AE7822416CD37EA8EE00D,SHA256=5C188CE4E21FAB002B4D669F91FA19341AB4260F83D798FDAC53229D675DB6BA,IMPHASH=B4730776DFCE61DBCD10D002E3D530E1{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 11241100x800000000000000061349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:59.625{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileCoAuthLib64.dll2021-07-19 10:44:59.625 13241300x800000000000000061348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:59.489{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{731F6BAA-A986-45A4-8936-7C3AAAAA760B}\URLUpdateInfo(Empty) 13241300x800000000000000061347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:44:59.488{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{731F6BAA-A986-45A4-8936-7C3AAAAA760B}\PublisherMicrosoft Corporation 13241300x800000000000000061346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:44:59.488{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{731F6BAA-A986-45A4-8936-7C3AAAAA760B}\InstallSourceC:\Program Files\Microsoft Office\root\integration\Addons\ 13241300x800000000000000061345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1060,RunKeySetValue2021-07-19 10:44:59.316{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TeamsMachineInstaller%%ProgramFiles%%\Teams Installer\Teams.exe --checkInstall --source=PROPLUS 254200x800000000000000061344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:44:59.225{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Teams Installer\Teams.exe2021-03-12 23:35:24.0002021-07-19 10:44:58.214 10341000x800000000000000061343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:44:59.212{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-55C4-60F5-7C08-00000000E501}3780C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:44:59.110{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\imageformats\qjpeg.dll2021-07-19 10:44:59.110 11241100x800000000000000061341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:44:59.049{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveStandaloneUpdater.exe2021-07-19 10:44:59.049 17141700x800000000000000061365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:45:00.935{43EB4363-57AB-60F5-D40A-00000000E501}8064\SfxCA_8203578C:\Windows\syswow64\MsiExec.exe 23542300x800000000000000061364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:00.932{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5805D1BA75A0473A380F4978833238AE,SHA256=201CFC7803C483C6A34E78AAEA1DE0D5FBCA11BEF6962168AA4D38E1BF706134,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028883Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:00.229{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B22272E4929BACD2C5CED0891801D41,SHA256=3FCAC75C91F906148F380013B25DDCF98C3808FD963739850C505B1B534F14D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:00.841{43EB4363-57AB-60F5-D40A-00000000E501}80642376C:\Windows\syswow64\MsiExec.exe{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\syswow64\MsiExec.exe+7291|C:\Windows\syswow64\MsiExec.exe+7873|C:\Windows\syswow64\MsiExec.exe+9201|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 11241100x800000000000000061362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:00.340{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\imageformats\qsvg.dll2021-07-19 10:45:00.340 11241100x800000000000000061361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:00.145{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5DBus.dll2021-07-19 10:45:00.145 23542300x800000000000000028882Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:00.011{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4CFAF9CD89F7E03BE544F61AFBFD45F,SHA256=7DCBA3B20E8727840A951744127D531E111E32BD456A16160C9B11ADAF480F85,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:01.810{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5Network.dll2021-07-19 10:45:01.810 11241100x800000000000000061388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:01.761{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\RemoteAccess.dll2021-07-19 10:45:01.712 10341000x800000000000000028897Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57AD-60F5-0806-00000000E601}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028896Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028895Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028894Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028893Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028892Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028891Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028890Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028889Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028888Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028887Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-57AD-60F5-0806-00000000E601}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028886Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.370{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57AD-60F5-0806-00000000E601}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028885Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.371{53AF6CEB-57AD-60F5-0806-00000000E601}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028884Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:01.229{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFA74C68972A3BB0D0BE5A26779E50F5,SHA256=5C21E0F61F0770F05B1AECF971C83172CDA873755B9EC1A234E68D851E483278,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:01.358{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncApi64.dll2021-07-19 10:45:01.358 10341000x800000000000000061386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.355{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57AD-60F5-D60A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.355{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57AD-60F5-D60A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:01.299{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Extras\qtquickextrasplugin.dll2021-07-19 10:45:01.299 10341000x800000000000000061383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.298{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.298{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.298{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648482A4605A7601DF908F8BB95BAE78,SHA256=81D1D6C32DA192601A8F0A1D5BE1B36DE7EBB4F60D2ABD12D3AD8473E30D87EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.298{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.298{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 18141800x800000000000000061378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:45:01.226{43EB4363-57AC-60F5-D50A-00000000E501}4912\SfxCA_8203578C:\Windows\SysWOW64\rundll32.exe 10341000x800000000000000061377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.096{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-5643-60F5-C308-00000000E501}6176C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.095{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-5643-60F5-C308-00000000E501}6176C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:01.022{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Qt5Gui.dll2021-07-19 10:45:01.022 10341000x800000000000000061374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.016{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.016{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:01.015{43EB4363-37A7-60F5-1600-00000000E501}12721340C:\Windows\system32\svchost.exe{43EB4363-57AC-60F5-D50A-00000000E501}4912C:\Windows\SysWOW64\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:00.997{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-57AC-60F5-D50A-00000000E501}4912C:\Windows\SysWOW64\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:00.944{43EB4363-55C1-60F5-7208-00000000E501}45564356C:\Windows\system32\csrss.exe{43EB4363-57AC-60F5-D50A-00000000E501}4912C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:00.939{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:00.939{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:00.938{43EB4363-57AB-60F5-D40A-00000000E501}8064852C:\Windows\syswow64\MsiExec.exe{43EB4363-57AC-60F5-D50A-00000000E501}4912C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI282F.tmp+28f8(wow64)|C:\Windows\Installer\MSI282F.tmp+247f(wow64)|C:\Windows\Installer\MSI282F.tmp+3a91(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000061366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:00.937{43EB4363-57AC-60F5-D50A-00000000E501}4912C:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe "C:\Windows\Installer\MSI282F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8203578 26613 SetupConfigCustomAction!Squirrel.SetupConfigCustomAction.SettingsCustomActions.RemoveRegKeyFromPreviousInstallC:\Windows\SysWOW64\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e72SystemMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02,IMPHASH=B79A26282DC6494FFDA9173E830DAB0A{43EB4363-57AB-60F5-D40A-00000000E501}8064C:\Windows\SysWOW64\msiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6430B36086B08B4342165C9C725D2782 E Global\MSI0000 23542300x800000000000000028899Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:02.468{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6923BD65152BB7CEACFD6AD5D521935,SHA256=5DAE5739B03D1920DE401933B11E8D355AD513C74978113FBCE43F350F6A62B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028898Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:02.468{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=937BED8A66AB3CD76CCE4E9C63C001FC,SHA256=5C6A7DC82A9F062FBB5D0C3BA2807871D8966D7B9F25BFBD78326E844401662C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:02.960{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\CustomAction.configMD5=4BFDEF8658100D564788F676B4A63864,SHA256=A2E973CCE1F85A2AB9D6E7A90909B17B332C1EF4159FFC57BB3CF688E02BA9EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:02.954{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\BootstrapperCore.dllMD5=B0D10A2A622A322788780E7A3CBB85F3,SHA256=F2C2B3CE2DF70A3206F3111391FFC7B791B32505FA97AEF22C0C2DBF6F3B0426,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:02.490{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAC30A71569D314944FBC1CFFABCC88E,SHA256=6CC62CAC07382B04D0F5CE508CF37B68F7D6BDF6C76AF0BAD25ABCBBB69647BE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:02.490{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll2021-07-19 10:45:02.487 23542300x800000000000000061391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:02.344{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC4EF97269A6BF6F1AB49A6B60598EA,SHA256=B32AFCF2ED8F9108B6A31D9C5A483B595BCC7A9DBCDC2A95B6F7E5E5F26A020D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:00.093{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028900Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:03.500{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC2511559D9031F56AE77D353F1E898,SHA256=2E7B301EFF3154762B3221C68174294D6A35E55FE1CDB1B996713B9835F1625E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.963{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.962{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-5643-60F5-C308-00000000E501}6176C:\Temp\OfficeSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.922{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Data.Edm.resources.dllMD5=72CB6CEFD5CE2E63EF929EC63B5C84AF,SHA256=AFCC051B49B4A102BD618D8F3E914346D402588E42333F71C2AB43C9F90F5590,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.767{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Data.Edm.dllMD5=78131030AB1F627955BE3182345BD001,SHA256=E5B0363A26DB4A5C0EDBB8D0EFF0A7B7C071C6C31960832A4332D31FCD170170,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.648{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Bond.Interfaces.dllMD5=52A51EE95888A7BA3A277C02AC07734B,SHA256=AF910124D7E52D5350D4AB125FA661032936C53D7ADAD081D32766F25297A17E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 13241300x800000000000000061404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:03.440{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00004ee7114ba1c474f7bbd42f8c9f930b0700000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 23542300x800000000000000061403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.345{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Bond.dllMD5=E71099478421938F865EE4AD49B5D4E8,SHA256=41A5C53E2AFAD3E9934582B97229216D614A0AFE520C4ADB765B01E7801BE727,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 10341000x800000000000000061402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.329{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-57AD-60F5-D60A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.294{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Applications.Telemetry.dllMD5=13A81056CEAEDAA4C8A4FBB59AA5D92C,SHA256=5E733EF38D2B71111A91B6BC468F415B59BF2B33157D4F728B8926014405E330,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.196{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Applications.Telemetry.Desktop.dllMD5=D5FD6ADB0C22D8D947A9E282EDD89D6D,SHA256=100CF34635E4BCD9C3793E9231736E6FF62715FCEAB32BAFBFF49B48B85AC64A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.192{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\ICSharpCode.SharpZipLib.dllMD5=F2BF7155CDB0F7E7ED3AF446BA588D8E,SHA256=B6BC2CCDD4E72C087B5D9D19E29F5069310EEF5ADE4B42D367960997433F0C05,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.161{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E3704CEEF998EAADBD68BD3BB35E4F,SHA256=19DCF25A6F6E07E5AD3D2C2D5583CAEDD09F076D554FB40D1FE9892AC025E2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.040{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\DeltaCompressionDotNet.MsDelta.dllMD5=F6437EBA2912907A6F13CC18E17239F0,SHA256=7C64414EF3A6E73D3CE5761DC964EB27DA68F70F8B0C04AD62DEE0AA9EAF1BEB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:02.991{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\DeltaCompressionDotNet.dllMD5=3CE9C038499D47BFDFABC197F34E04F8,SHA256=2F2FAEBE394F94EAF7F0FBDC09E43F8370717F5C684B66AB61A7DABB755EF4BF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000028902Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:04.515{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C011535A9F02F86A6A184D927958CEF,SHA256=D5C41CC3EC333F4EEB3506808C1947829A716EAFC955179B3D748E50860FA2CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028901Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:03.070{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.954{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\System.Spatial.dllMD5=539ECBA6ADC02BD1711E0C0883A502AF,SHA256=0B347698A279A88CF278759100A488941AAF7ACCA96C52194845290D08A26366,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.812{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Squirrel.dllMD5=787F70131787B84A5BACCC51B5FDEB10,SHA256=D36F4F1DC51A3C93C4A578BAE0FAEE4DECD06B7B29F813197E06B5CDC105A7C3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.752{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Splat.dllMD5=1975E684C48457D72F37696BB1B880E6,SHA256=7A6F255CF59D6594C8F5BC466956F09305A3A10C8D683E485C7E1F14371701C4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.708{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.704{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\SetupConfigCustomAction.dllMD5=87015D400C9199B4A701EB81A664B551,SHA256=4346DC073DBB96595CC1CAD1F4EB2FCC729E8284F4968A73C25B8296A81187E4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.590{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\NuGet.Squirrel.dllMD5=6A5C1FA6116A760D4CE0B31B65A71E4C,SHA256=BCD5B82372B117F16956B5704A56FC37D3DA91A9D8A8BBB53D026B99B88F0817,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x800000000000000061419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:04.528{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\arm64\FileSyncApi64.dll2021-07-19 10:45:04.528 23542300x800000000000000061418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.515{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Mono.Cecil.dllMD5=7546ACEBC5A5213DEE2A5ED18D7EBC6C,SHA256=7744C9C84C28033BC3606F4DFCE2ADCD6F632E2BE7827893C3E2257100F1CF9E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.430{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Web.XmlTransform.dllMD5=6AD7D1E92C9833F4BDDE6A4BC84F2E1A,SHA256=13DCF5066E00152238191314D4A46605204FFABDBB830BDD0C97DF3027D1261D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.390{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Deployment.WindowsInstaller.dllMD5=233CA870E2530DA48897DB8FA6F1E3CF,SHA256=CA420FEF4909C10E2E95C8C899FA7D009892DDDF0B2424870236F1D0676E9165,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.202{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Deployment.Resources.dllMD5=343DC7A39956EC67A576C91D3765A1CD,SHA256=71D85BB2863F61CA11625E8BEE171114047D3F3E95792309E2040F3E139BAAE3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.174{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Data.Services.Client.resources.dllMD5=7F92069CFD4EA63487C25D6ECD96D1F3,SHA256=36DD5A40328C39E032F2CDB3B0F8CCF384716E46488A4E3356A387F74C03357B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.102{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Data.Services.Client.dllMD5=269BDEFAC8F933B2B133660BCEB81F13,SHA256=3CE056DD03533E4A8D9644B99ADE69B8CF6D5EDF3AB26FE2B9467AEC17A3C85D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.095{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D8FC172114A7C242E6C48DA64B3921,SHA256=E6EE84474902105A18E0EC140C125D4751895D447602703CE71B092E21F12E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.029{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Data.OData.resources.dllMD5=055CACF6D88D81AD52A8E30E83235CD2,SHA256=8435109572A7548A21C20CC0A3054060127F49376EFAF548AAA303828F257217,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:03.978{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Microsoft.Data.OData.dllMD5=2D8AEF0300B61BB6A075950900AEFFE3,SHA256=B37D4E017BB6444E00F7A840BD3562D194D199288A0B8406B6DCB431A867B702,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000028903Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:05.531{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CB651A889CC9838CB1862340316CFB,SHA256=9DAECBB7F452CB54DB87844C71AD570F1072CDE00B6CA4FA0217ED2FAE2FE96F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.782{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFAFCC93BF9FEEDF98.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000061441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.727{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFCE000DE520F32F68.TMPMD5=D2BA2CC170C56652785B77E5B1C0ADC8,SHA256=3939D13D0DBE68025C42BB2643E6618EE472A74C715C012EC7B5A737375A4A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.597{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSID05.tmpMD5=514D449543BA4BA5DD2ABA0B279C771C,SHA256=EDB63AFF6B353D2A86132CC29BEE3DAC4DA4CC5218BBF96F22EDBD4558ACFC8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:05.572{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\arm64\FileSyncShell64.dll2021-07-19 10:45:05.572 10341000x800000000000000061438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.502{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\SYSTEM32\msi.dll+e280d|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b0772|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.502{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\SYSTEM32\msi.dll+e280d|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b0772|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.502{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\SYSTEM32\msi.dll+e280d|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b0772|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.502{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\SYSTEM32\msi.dll+e280d|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b0772|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.501{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+d158a|C:\Windows\System32\SHELL32.dll+84a04|C:\Windows\System32\SHELL32.dll+84658|C:\Windows\SYSTEM32\msi.dll+e280d|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b0772|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.501{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d1578|C:\Windows\System32\SHELL32.dll+84a04|C:\Windows\System32\SHELL32.dll+84658|C:\Windows\SYSTEM32\msi.dll+e280d|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b0772|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000061432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.501{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+d1578|C:\Windows\System32\SHELL32.dll+84a04|C:\Windows\System32\SHELL32.dll+84658|C:\Windows\SYSTEM32\msi.dll+e280d|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b0772|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.484{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI282F.tmpMD5=915C007381385DDEB22A0FF66AA47FAE,SHA256=F12A80A4B3EB7789B005328C25316B1C7995EFA8CD14F00EA55EE7412A3BBF09,IMPHASH=C2AAC1B2B9FA36FBEA7CD3D2B4516228truetrue 23542300x800000000000000061430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.258{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\wix.dllMD5=45688182A675C3B0563C9201D8F01B39,SHA256=4B3CF980A840F3E36D98FEF3B4D4C302313AC7E2EA3310F5D0D71722853975C7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x800000000000000061429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:05.237{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ssleay32.dll2021-07-19 10:45:05.237 23542300x800000000000000061428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.212{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\Telemetry.dllMD5=0B0D7B8DDED32A95DFC994B3C6CC0126,SHA256=6292E23132D15FBDF18B45FB9DAF837245CC08B6EF19E920BE56E2D04E754DC9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.164{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70922EF04940E310DB717FED3224EB8A,SHA256=4489CCA45681459CBC37EDC9FC6F3754EC6DB421EC62588DB9B2EFE3D97D941B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.005{43EB4363-57AC-60F5-D50A-00000000E501}4912NT AUTHORITY\SYSTEMC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI282F.tmp-\System.Spatial.resources.dllMD5=AD73B408CD61BC349ECB29D018A90F25,SHA256=60225714F5F67C7AFE03ADAD6B06DE02396F687F441813847C7C5D083AB10FBD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000028904Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:06.609{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7369A3A01629650D62D47A71A0E98974,SHA256=AC05E389CA764D4ED142C586D25962AA22C0044D06995C779082ABBCBDBDA880,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.920{43EB4363-57B2-60F5-D70A-00000000E501}49525456C:\Windows\syswow64\MsiExec.exe{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\syswow64\MsiExec.exe+7291|C:\Windows\syswow64\MsiExec.exe+7873|C:\Windows\syswow64\MsiExec.exe+9201|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 11241100x800000000000000061460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:06.641{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick.2\qtquick2plugin.dll2021-07-19 10:45:06.641 10341000x800000000000000061459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.518{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-57B2-60F5-D70A-00000000E501}4952C:\Windows\syswow64\MsiExec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000061458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:04.580{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000061457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.359{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AE379C7AD13A07F3869C8149901F41,SHA256=D781A664CF06C4D795910FC012E0949745954DE3776B73FED7243207B89336EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.354{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-57B2-60F5-D70A-00000000E501}4952C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 11241100x800000000000000061455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:06.306{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Layouts\qquicklayoutsplugin.dll2021-07-19 10:45:06.306 10341000x800000000000000061454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.242{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.242{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.241{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.241{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.220{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57B2-60F5-D70A-00000000E501}4952C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.220{43EB4363-56CD-60F5-F608-00000000E501}75487824C:\Windows\system32\msiexec.exe{43EB4363-57B2-60F5-D70A-00000000E501}4952C:\Windows\syswow64\MsiExec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ba6f5|C:\Windows\system32\Msi.dll+16c8f4|C:\Windows\system32\Msi.dll+16cf6c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.219{43EB4363-57B2-60F5-D70A-00000000E501}4952C:\Windows\SysWOW64\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DDD566F8274F0258389D3E37DE13E98AC:\Windows\SysWOW64\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=0BDEAEA7BB4AE7822416CD37EA8EE00D,SHA256=5C188CE4E21FAB002B4D669F91FA19341AB4260F83D798FDAC53229D675DB6BA,IMPHASH=B4730776DFCE61DBCD10D002E3D530E1{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 23542300x800000000000000061447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.154{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c634.rbsMD5=7A17AF7ADD19B92DFD2A851FE765EBD1,SHA256=A17F916A3EAE3B54C21CD74FFE3E2CC77D756E004F6BA27737A396910268B2BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.064{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shmMD5=34B11BDF5DE1DBE19941CC42F401BCA3,SHA256=1304D3A6E53082982DB69ADE6EF3922B154AA511823C2066335B74DFE3B8F23C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.064{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF987709217F713238.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 11241100x800000000000000061444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:06.050{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\SyncEngine.dll2021-07-19 10:45:06.050 23542300x800000000000000061443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:06.018{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF62DCB126FE1FB256.TMPMD5=D2BA2CC170C56652785B77E5B1C0ADC8,SHA256=3939D13D0DBE68025C42BB2643E6618EE472A74C715C012EC7B5A737375A4A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028905Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:07.843{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C60A42FB62BF41BD0531F188E97A86,SHA256=0EB78D92DAFEB26397C93ECE13D9E41E107A0ACFCFD6B41939155C01573CBC85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.926{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\BootstrapperCore.dllMD5=B0D10A2A622A322788780E7A3CBB85F3,SHA256=F2C2B3CE2DF70A3206F3111391FFC7B791B32505FA97AEF22C0C2DBF6F3B0426,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x800000000000000061482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:07.833{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\IRMProtectors\Microsoft.Office.Irm.MsoProtector.dll2021-07-19 10:45:07.832 23542300x800000000000000061481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.816{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Program Files (x86)\Teams Installer\setup.jsonMD5=19AD152B4BF6B7482CD1FF761CA0EBAA,SHA256=190C38F4F1B04B75B5CEC8D03D3946A94E54044662752ACA7D54C8193EBC5C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.648{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D077B6308828C27A7BD4C938AF5B8205,SHA256=47FA652D7ED92B944D7EA6BAF757612755C34C73123EDF5806F99E72DF608DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.647{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EB829B3E3214D73D1B923C646C9EECF,SHA256=091F7BDBDF5FEFF2760FBA8D6C637CCBDAE038D456F4FC8D96699B30B4A45164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.629{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=430C0397FFA69A41565EACDBB650578B,SHA256=F575A7B7C14275A0E887C103C50A983ADF9F571FB988A030872FF5B02F012B40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:05.155{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000061476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.343{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1200-00000000E501}356C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.343{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.343{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.271{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.271{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.271{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.270{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x800000000000000061469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-ConnectPipe2021-07-19 10:45:07.229{43EB4363-57B3-60F5-D80A-00000000E501}4384\SfxCA_8209796C:\Windows\SysWOW64\rundll32.exe 10341000x800000000000000061468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.189{43EB4363-37A7-60F5-1600-00000000E501}12724104C:\Windows\system32\svchost.exe{43EB4363-57B3-60F5-D80A-00000000E501}4384C:\Windows\SysWOW64\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.189{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-57B3-60F5-D80A-00000000E501}4384C:\Windows\SysWOW64\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.148{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-57B3-60F5-D80A-00000000E501}4384C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.144{43EB4363-57B2-60F5-D70A-00000000E501}49524852C:\Windows\syswow64\MsiExec.exe{43EB4363-57B3-60F5-D80A-00000000E501}4384C:\Windows\SysWOW64\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Installer\MSI41E2.tmp+28f8(wow64)|C:\Windows\Installer\MSI41E2.tmp+247f(wow64)|C:\Windows\Installer\MSI41E2.tmp+3a7b(wow64)|C:\Windows\System32\msi.dll+a9703(wow64)|C:\Windows\System32\msi.dll+1800e6(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x800000000000000061464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.144{43EB4363-57B3-60F5-D80A-00000000E501}4384C:\Windows\SysWOW64\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXErundll32.exe "C:\Windows\Installer\MSI41E2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_8209796 26619 SetupConfigCustomAction!Squirrel.SetupConfigCustomAction.SettingsCustomActions.CopyConfigC:\Windows\SysWOW64\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=A6ED2B5513A128315EC73A300D215759,SHA256=9980CC59993DCDE34A20411E3FACFEE8E7B159EE0D6FA510BCFAECC8532B4C02,IMPHASH=B79A26282DC6494FFDA9173E830DAB0A{43EB4363-57B2-60F5-D70A-00000000E501}4952C:\Windows\SysWOW64\msiexec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DDD566F8274F0258389D3E37DE13E98A 17141700x800000000000000061463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-CreatePipe2021-07-19 10:45:07.143{43EB4363-57B2-60F5-D70A-00000000E501}4952\SfxCA_8209796C:\Windows\syswow64\MsiExec.exe 11241100x800000000000000061462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:07.016{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Telemetry.dll2021-07-19 10:45:07.016 11241100x800000000000000061503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.920{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt2021-07-19 10:45:08.920 11241100x800000000000000061502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:08.915{43EB4363-57AD-60F5-D60A-00000000E501}7292C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1c7c-0\Microsoft.VisualStudio.Tools.Office.Runtime.dll2021-07-19 10:45:08.915 23542300x800000000000000061501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.911{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Deployment.Resources.dllMD5=343DC7A39956EC67A576C91D3765A1CD,SHA256=71D85BB2863F61CA11625E8BEE171114047D3F3E95792309E2040F3E139BAAE3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.864{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Data.Services.Client.resources.dllMD5=7F92069CFD4EA63487C25D6ECD96D1F3,SHA256=36DD5A40328C39E032F2CDB3B0F8CCF384716E46488A4E3356A387F74C03357B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.835{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Data.Services.Client.dllMD5=269BDEFAC8F933B2B133660BCEB81F13,SHA256=3CE056DD03533E4A8D9644B99ADE69B8CF6D5EDF3AB26FE2B9467AEC17A3C85D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.822{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Data.OData.resources.dllMD5=055CACF6D88D81AD52A8E30E83235CD2,SHA256=8435109572A7548A21C20CC0A3054060127F49376EFAF548AAA303828F257217,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.806{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Data.OData.dllMD5=2D8AEF0300B61BB6A075950900AEFFE3,SHA256=B37D4E017BB6444E00F7A840BD3562D194D199288A0B8406B6DCB431A867B702,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.788{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Data.Edm.resources.dllMD5=72CB6CEFD5CE2E63EF929EC63B5C84AF,SHA256=AFCC051B49B4A102BD618D8F3E914346D402588E42333F71C2AB43C9F90F5590,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.767{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Data.Edm.dllMD5=78131030AB1F627955BE3182345BD001,SHA256=E5B0363A26DB4A5C0EDBB8D0EFF0A7B7C071C6C31960832A4332D31FCD170170,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.709{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Bond.Interfaces.dllMD5=52A51EE95888A7BA3A277C02AC07734B,SHA256=AF910124D7E52D5350D4AB125FA661032936C53D7ADAD081D32766F25297A17E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.689{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Bond.dllMD5=E71099478421938F865EE4AD49B5D4E8,SHA256=41A5C53E2AFAD3E9934582B97229216D614A0AFE520C4ADB765B01E7801BE727,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.577{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC59DC2A6666A10BA41218E9593CA51,SHA256=C8ECDB51B6868F2F956238C8CE333CDB57FBAE95DDE8B09F72E39C9E5B73349A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.558{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Applications.Telemetry.dllMD5=13A81056CEAEDAA4C8A4FBB59AA5D92C,SHA256=5E733EF38D2B71111A91B6BC468F415B59BF2B33157D4F728B8926014405E330,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x800000000000000061490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:08.468{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\IRMProtectors\Microsoft.Office.Irm.OfcProtector.dll2021-07-19 10:45:08.467 23542300x800000000000000061489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.467{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Applications.Telemetry.Desktop.dllMD5=D5FD6ADB0C22D8D947A9E282EDD89D6D,SHA256=100CF34635E4BCD9C3793E9231736E6FF62715FCEAB32BAFBFF49B48B85AC64A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 10341000x800000000000000061488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.362{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.338{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\ICSharpCode.SharpZipLib.dllMD5=F2BF7155CDB0F7E7ED3AF446BA588D8E,SHA256=B6BC2CCDD4E72C087B5D9D19E29F5069310EEF5ADE4B42D367960997433F0C05,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.165{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\DeltaCompressionDotNet.MsDelta.dllMD5=F6437EBA2912907A6F13CC18E17239F0,SHA256=7C64414EF3A6E73D3CE5761DC964EB27DA68F70F8B0C04AD62DEE0AA9EAF1BEB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.073{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\DeltaCompressionDotNet.dllMD5=3CE9C038499D47BFDFABC197F34E04F8,SHA256=2F2FAEBE394F94EAF7F0FBDC09E43F8370717F5C684B66AB61A7DABB755EF4BF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:07.947{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\CustomAction.configMD5=4BFDEF8658100D564788F676B4A63864,SHA256=A2E973CCE1F85A2AB9D6E7A90909B17B332C1EF4159FFC57BB3CF688E02BA9EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.887{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF73815223A4F3077B.TMPMD5=879A70181CE93BC1387AEDE60BE3FFD1,SHA256=02AC218AE3AC950C47CFDA039185979FC04B286D05483F56303DA913CEAF1324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.887{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=809E086924857D9CEC01288B67F211D8,SHA256=2D617AF2F39E39817303DA59C8802A5BD073E5E8BB1FAEECE3C692C9E1F46781,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:09.886{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Templates.2\qtquicktemplates2plugin.dll2021-07-19 10:45:09.878 23542300x800000000000000061521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.884{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFDEAA99B2CEB5042D.TMPMD5=C69718C56B91EE78A2B3D86D1F8AFBEB,SHA256=5BACB78CDE620E732044645DC7E92109810C39B3B25E38DDA5FDF345BBCBBB7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.774{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI41E2.tmpMD5=915C007381385DDEB22A0FF66AA47FAE,SHA256=F12A80A4B3EB7789B005328C25316B1C7995EFA8CD14F00EA55EE7412A3BBF09,IMPHASH=C2AAC1B2B9FA36FBEA7CD3D2B4516228truetrue 23542300x800000000000000061519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.630{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A765452BDCC0F7EF33A80511A7F49B4,SHA256=10E88F1FC132C4FDF495AF679F94C836BE8042BD9FD49D0D3C049FB54EBDF425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.624{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\wix.dllMD5=45688182A675C3B0563C9201D8F01B39,SHA256=4B3CF980A840F3E36D98FEF3B4D4C302313AC7E2EA3310F5D0D71722853975C7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 10341000x800000000000000061517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.592{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.592{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.544{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Telemetry.dllMD5=0B0D7B8DDED32A95DFC994B3C6CC0126,SHA256=6292E23132D15FBDF18B45FB9DAF837245CC08B6EF19E920BE56E2D04E754DC9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x800000000000000061514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:09.535{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ucrtbase.dll2021-07-19 10:45:09.508 23542300x800000000000000028906Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:09.078{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43E69FB346D32662B0B97EAEA7C037A3,SHA256=F571E3932E20803433AE218B4AE5013F898C4BF785A15945B443A536E297A57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.430{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\System.Spatial.resources.dllMD5=AD73B408CD61BC349ECB29D018A90F25,SHA256=60225714F5F67C7AFE03ADAD6B06DE02396F687F441813847C7C5D083AB10FBD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.396{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\System.Spatial.dllMD5=539ECBA6ADC02BD1711E0C0883A502AF,SHA256=0B347698A279A88CF278759100A488941AAF7ACCA96C52194845290D08A26366,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.389{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Squirrel.dllMD5=787F70131787B84A5BACCC51B5FDEB10,SHA256=D36F4F1DC51A3C93C4A578BAE0FAEE4DECD06B7B29F813197E06B5CDC105A7C3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.384{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Splat.dllMD5=1975E684C48457D72F37696BB1B880E6,SHA256=7A6F255CF59D6594C8F5BC466956F09305A3A10C8D683E485C7E1F14371701C4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x800000000000000061509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:09.380{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\platforms\qwindows.dll2021-07-19 10:45:09.380 23542300x800000000000000061508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.327{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\SetupConfigCustomAction.dllMD5=87015D400C9199B4A701EB81A664B551,SHA256=4346DC073DBB96595CC1CAD1F4EB2FCC729E8284F4968A73C25B8296A81187E4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.312{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\NuGet.Squirrel.dllMD5=6A5C1FA6116A760D4CE0B31B65A71E4C,SHA256=BCD5B82372B117F16956B5704A56FC37D3DA91A9D8A8BBB53D026B99B88F0817,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.291{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Mono.Cecil.dllMD5=7546ACEBC5A5213DEE2A5ED18D7EBC6C,SHA256=7744C9C84C28033BC3606F4DFCE2ADCD6F632E2BE7827893C3E2257100F1CF9E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:09.212{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Web.XmlTransform.dllMD5=6AD7D1E92C9833F4BDDE6A4BC84F2E1A,SHA256=13DCF5066E00152238191314D4A46605204FFABDBB830BDD0C97DF3027D1261D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x800000000000000061504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:08.953{43EB4363-57B3-60F5-D80A-00000000E501}4384ATTACKRANGE\AdministratorC:\Windows\SysWOW64\rundll32.exeC:\Windows\Installer\MSI41E2.tmp-\Microsoft.Deployment.WindowsInstaller.dllMD5=233CA870E2530DA48897DB8FA6F1E3CF,SHA256=CA420FEF4909C10E2E95C8C899FA7D009892DDDF0B2424870236F1D0676E9165,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 10341000x800000000000000061530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:10.881{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-57B6-60F5-D90A-00000000E501}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:10.769{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB604D8FF3891DF2F831E86B8A8D8B64,SHA256=CD90FE4A71A36FFD40912A4879B06180A0B3801F2897F9B48DEF550C1F7CFA89,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028908Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:09.086{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028907Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:10.140{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25288B8EE8BC208C90B146B13006169,SHA256=8B469A1E7E4854AD8803BF89ABDD9D0CDBEBF029FE69A1342932D5096B8B33C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:10.523{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57B6-60F5-D90A-00000000E501}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:10.523{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57B6-60F5-D90A-00000000E501}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:10.200{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\UpdateRingSettings.dll2021-07-19 10:45:10.200 23542300x800000000000000061525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:10.193{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D7B187139C144E0B3C8466156E01A9A3,SHA256=79A9DFD0BF68B6531C75605658E9161724007757A094D36223530013C433CD8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028909Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:11.390{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBE3881BC543159615BD9246DC934F4,SHA256=B34A6169C8478B2D6B5F6AE509D2DFC6F680305500670ACF8887EFF40D0D5990,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.706{43EB4363-56CD-60F5-F608-00000000E501}75487144C:\Windows\system32\msiexec.exe{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19e41d|C:\Windows\system32\Msi.dll+2eaae|C:\Windows\system32\Msi.dll+47505|C:\Windows\system32\Msi.dll+10a8c5|C:\Windows\system32\Msi.dll+109ae6|C:\Windows\system32\Msi.dll+f407f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.593{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c636.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.593{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D077B6308828C27A7BD4C938AF5B8205,SHA256=47FA652D7ED92B944D7EA6BAF757612755C34C73123EDF5806F99E72DF608DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.593{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D7B187139C144E0B3C8466156E01A9A3,SHA256=79A9DFD0BF68B6531C75605658E9161724007757A094D36223530013C433CD8E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000061537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:11.592{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00003312f700c3d03614c2c9f93e32df9af300000904\PublisherCN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US 23542300x800000000000000061536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.437{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=F8BE6AC834CB0EBAF7E14128746FE810,SHA256=239AF9413BD3F67E93FC4E5509037E0AE654E2D29F626C83B54D9DDB4698D10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.402{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFBD834B2780004D44.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000061534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.371{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF4F11CDE86007F8A1.TMPMD5=F8BE6AC834CB0EBAF7E14128746FE810,SHA256=239AF9413BD3F67E93FC4E5509037E0AE654E2D29F626C83B54D9DDB4698D10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.315{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFEB4BBD3174C8A06D.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000061532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.303{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFAD2D66F65FD65D68.TMPMD5=F8BE6AC834CB0EBAF7E14128746FE810,SHA256=239AF9413BD3F67E93FC4E5509037E0AE654E2D29F626C83B54D9DDB4698D10C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.257{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c632.msiMD5=49DD8628E8747016B694E40D6AB664D4,SHA256=ED4CBF375CD9A60EBBEF5871AF17CD046105DF4D24171F3C9D50443E9EA5BB0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028910Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:12.562{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8725FF9D4C3802496A7370094614B1,SHA256=A0B5E1E75425E4DDA5E2EBE8C8D0DE1531B5BE236F2A5FCADCE730B4E1AB6884,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:12.818{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57B8-60F5-DB0A-00000000E501}2112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000061569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:12.816{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\BinProductVersion19.0.0.0 13241300x800000000000000061568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:12.816{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\LinkDate02/21/2019 17:00:00 13241300x800000000000000061567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:12.816{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\Publisherigor pavlov 13241300x800000000000000061566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:12.816{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|987e0404a196a19e\LowerCaseLongPathc:\program files\7-zip\uninstall.exe 13241300x800000000000000061565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:12.816{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\BinProductVersion19.0.0.0 13241300x800000000000000061564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:12.816{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\LinkDate02/21/2019 16:00:00 13241300x800000000000000061563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:12.816{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\Publisherigor pavlov 13241300x800000000000000061562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:12.816{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7zg.exe|66a2193c8967c10d\LowerCaseLongPathc:\program files\7-zip\7zg.exe 13241300x800000000000000061561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:12.815{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\BinProductVersion19.0.0.0 13241300x800000000000000061560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:12.815{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\LinkDate02/21/2019 16:00:00 13241300x800000000000000061559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:12.815{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\Publisherigor pavlov 13241300x800000000000000061558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:12.815{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7zfm.exe|56d287950815a745\LowerCaseLongPathc:\program files\7-zip\7zfm.exe 13241300x800000000000000061557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:12.815{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\BinProductVersion19.0.0.0 13241300x800000000000000061556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:12.815{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\LinkDate02/21/2019 16:00:00 13241300x800000000000000061555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:12.815{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\Publisherigor pavlov 13241300x800000000000000061554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:12.815{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\7z.exe|afe683e0fa522625\LowerCaseLongPathc:\program files\7-zip\7z.exe 13241300x800000000000000061553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:12.814{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\000062e2a9e9b14ba03c6c34d99bd37d04a50000ffff\PublisherIgor Pavlov 10341000x800000000000000061552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:12.699{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57B8-60F5-DB0A-00000000E501}2112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:12.699{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57B8-60F5-DB0A-00000000E501}2112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000061550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:10.241{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000061549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:12.628{43EB4363-57B8-60F5-DA0A-00000000E501}7284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1c74-0\Microsoft.VisualStudio.Tools.Office.Runtime.Internal.dll2021-07-19 10:45:12.628 23542300x800000000000000061548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:12.506{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI5A8C.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:12.466{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57B8-60F5-DA0A-00000000E501}7284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:12.452{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0D0C205E7AF0028717BB42BCF7F3A65F,SHA256=E0FCDFCD8F01541C451B6C2B807E5AC8E53B7601C066C6C32F87FAA5BE2CC5F2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:12.451{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Window.2\windowplugin.dll2021-07-19 10:45:12.451 10341000x800000000000000061544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:12.010{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57B8-60F5-DA0A-00000000E501}7284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:12.005{43EB4363-5784-60F5-320A-00000000E501}74682612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57B8-60F5-DA0A-00000000E501}7284C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b591|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+b518|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9e05|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:11.974{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF66FBC1AE9A5591E01E6B0C4B762029,SHA256=E9E7B45CB6B8A397D91BBD3CAD3D7C4D8F9E8C208EC72CEEE710C7D9F2C37E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028911Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:13.609{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF29901EEE7E1DC38E667B42D3D49D8,SHA256=02EDCDEB3B1BBEECDEF48F37D44B4D3FDE2D8D9249841EF2D63F0258C3A73491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.992{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57B9-60F5-DE0A-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.976{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57B9-60F5-DE0A-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.976{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57B9-60F5-DE0A-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.917{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57B9-60F5-DD0A-00000000E501}6188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.900{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57B9-60F5-DD0A-00000000E501}6188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.900{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57B9-60F5-DD0A-00000000E501}6188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.417{43EB4363-55C1-60F5-7208-00000000E501}45563352C:\Windows\system32\csrss.exe{43EB4363-57B9-60F5-DC0A-00000000E501}228C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.400{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57B9-60F5-DC0A-00000000E501}228C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.396{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.396{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.396{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.395{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.393{43EB4363-56CD-60F5-F608-00000000E501}75484848C:\Windows\system32\msiexec.exe{43EB4363-57B9-60F5-DC0A-00000000E501}228C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\ADVAPI32.dll+188af|C:\Windows\system32\Msi.dll+ec422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.393{43EB4363-57B9-60F5-DC0A-00000000E501}228C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe1.0.0.0MainBootStrapMainBootStrap-MainBootStrap.exe"C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe" installC:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e72SystemMD5=9D9997F062E05C4A830A14A0D43B508A,SHA256=A12EE9BF211B59A17C9BAFA0336BAE7362F27665DBB0E00741E672985F444A26,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\System32\msiexec.exeC:\Windows\system32\msiexec.exe /V 13241300x800000000000000061591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:13.363{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D066B018-448B-40C5-9034-259BBCC49351}\URLUpdateInfo(Empty) 13241300x800000000000000061590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:13.363{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D066B018-448B-40C5-9034-259BBCC49351}\PublisherMicrosoft 13241300x800000000000000061589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:13.362{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{D066B018-448B-40C5-9034-259BBCC49351}\InstallSourceC:\Program Files\Microsoft Office\root\integration\Addons\ 11241100x800000000000000061588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:13.353{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\System.Security.Cryptography.X509Certificates.dll2021-07-19 10:45:13.352 11241100x800000000000000061587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:13.350{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\System.Security.Cryptography.Primitives.dll2021-07-19 10:45:13.350 11241100x800000000000000061586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:13.349{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\System.Security.Cryptography.Encoding.dll2021-07-19 10:45:13.349 11241100x800000000000000061585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:13.347{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\System.Security.Cryptography.Algorithms.dll2021-07-19 10:45:13.347 11241100x800000000000000061584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:13.343{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\System.Net.Http.dll2021-07-19 10:45:13.343 11241100x800000000000000061583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:13.341{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\Services.dll2021-07-19 10:45:13.341 11241100x800000000000000061582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:13.331{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\NLog.dll2021-07-19 10:45:13.331 11241100x800000000000000061581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:13.320{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\Newtonsoft.Json.dll2021-07-19 10:45:13.320 11241100x800000000000000061580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:13.319{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\Models.dll2021-07-19 10:45:13.318 11241100x800000000000000061579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:13.309{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\Managers.dll2021-07-19 10:45:13.308 254200x800000000000000061578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:45:13.306{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe2020-04-20 20:07:58.0002021-07-19 10:45:13.306 11241100x800000000000000061577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:45:13.306{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe2021-07-19 10:45:13.306 23542300x800000000000000061576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.193{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c638.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.192{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.186{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF3E751F3EED87850E.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000061573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.176{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF33E4C1CB0D70D593.TMPMD5=EC966B4EACF6B34878FF7C5E0B13FA97,SHA256=B7B7504B5E7D9C040F81DEB5804922FE5045B63C092839CAFA6949B9923855AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.128{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D5CCC5F44C2CD075E6D40DCA5CB14D,SHA256=A33C51E561193E937A38498CA212C934A89DFBC9FC4B725FA56FB8824343711C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.059{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2C6312148CDE03ADAE30CDF03A068DD2,SHA256=CB7F79B0F50DC360018853B5F5F22D88CB0522DE748359BD24F2A55060E35FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028912Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:14.843{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9443D1D5820AD0EB23D90863AC1377F5,SHA256=5449F4720B1D451DEE3840C10373E8CB69820CFB50F31337757FFB656B674A27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.969{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-EA0A-00000000E501}6920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.968{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BA-60F5-EA0A-00000000E501}6920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.951{43EB4363-55C1-60F5-7208-00000000E501}45564356C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.949{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+1094e1|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+10931b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+2723a5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+271edb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4621e5|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4606ee|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.935{43EB4363-37A7-60F5-1000-00000000E501}3684988C:\Windows\System32\svchost.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.924{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=86D8A5609F15E772C1D6201F1663C393,SHA256=F1E769C47BD4479CEC4E712C4D246358428FF04815D8D10FDD24EFD7CE59E36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.923{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFF6352B722093DF5F.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000061662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.923{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF7A6835CD2A0C3325.TMPMD5=86D8A5609F15E772C1D6201F1663C393,SHA256=F1E769C47BD4479CEC4E712C4D246358428FF04815D8D10FDD24EFD7CE59E36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.919{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF16F8A1348EAE8752.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000061660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.919{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFA6017F6F3ED78010.TMPMD5=86D8A5609F15E772C1D6201F1663C393,SHA256=F1E769C47BD4479CEC4E712C4D246358428FF04815D8D10FDD24EFD7CE59E36E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.911{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c636.msiMD5=AF9E178233F0AA84B0082AF57B871733,SHA256=EEDDA6B099C601546148F8A47921F00961199FB3AE9319C32A726A381B66C846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.896{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF5D696FE9ED7C4CB0.TMPMD5=5A19D6242F0387D4EE5DB426D84D93B4,SHA256=5593199B2538683D931B433AE5A54170419DF5574E71E5548F1DEFBEE4B18E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.893{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF64337E13BD6D79C9.TMPMD5=B022A699890DB783D2203D1F9A0A9F0D,SHA256=9613AB0D7FAFC6CF523AD340A28D617E0E3064C303F4DA6653476F600FA77099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.885{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c638.rbsMD5=6D52F7268B2118E5EE9DEB0C8FAEF121,SHA256=21A68AB8647C134DD584A845F058BC7BC81EA765B1E35D41F521F8509BB2DA65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.882{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFBFF3379AB7109BF6.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000061654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.882{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFADD2E0BA8D0B25B8.TMPMD5=EC966B4EACF6B34878FF7C5E0B13FA97,SHA256=B7B7504B5E7D9C040F81DEB5804922FE5045B63C092839CAFA6949B9923855AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.878{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF0898178944561D25.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000061652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.877{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF5048C6E61CFA0BD4.TMPMD5=EC966B4EACF6B34878FF7C5E0B13FA97,SHA256=B7B7504B5E7D9C040F81DEB5804922FE5045B63C092839CAFA6949B9923855AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.873{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI5A8C.tmpMD5=23F5285B12E7B3D0A3B0CB83C4305763,SHA256=9DE7ECBE2634C8E32665EC8905025006629991699503426857D60144426B2309,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.872{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5340e|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b14a2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.872{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+53378|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b14a2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.872{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b14a2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.872{43EB4363-5649-60F5-C808-00000000E501}43087444C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+5335a|C:\Windows\System32\SHELL32.dll+84732|C:\Windows\SYSTEM32\msi.dll+f7052|C:\Windows\SYSTEM32\msi.dll+f945f|C:\Windows\SYSTEM32\msi.dll+f8be4|C:\Windows\SYSTEM32\msi.dll+90aa4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b14a2|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+4b1f42|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+46062c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+b0ba4|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c61bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+c4327|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe+18974a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.803{43EB4363-55C1-60F5-7208-00000000E501}45564356C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-E80A-00000000E501}7552C:\Windows\SysWOW64\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.800{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.800{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.800{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.800{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.799{43EB4363-57B9-60F5-DC0A-00000000E501}2282396C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe{43EB4363-57BA-60F5-E80A-00000000E501}7552C:\Windows\SysWOW64\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c79304b7b2935b39d0398e132630b5d\System.ni.dll+23cbb2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c79304b7b2935b39d0398e132630b5d\System.ni.dll+1aaaa4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_32\System\2c79304b7b2935b39d0398e132630b5d\System.ni.dll+1aa39c(wow64)|UNKNOWN(0000000004D0AD64)|UNKNOWN(0000000004D0ABD9)|UNKNOWN(0000000004D0AB04)|UNKNOWN(0000000004D0AA03)|UNKNOWN(000000000487D839)|UNKNOWN(0000000000833B4F)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1234a(wow64) 154100x800000000000000061640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.799{43EB4363-57BA-60F5-E80A-00000000E501}7552C:\Windows\SysWOW64\msiexec.exe5.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Windows® installerWindows Installer - UnicodeMicrosoft Corporationmsiexec.exe"msiexec.exe" /i C:\ProgramData\Microsoft\DefaultPackMSI\MicrosoftSearchInBing.msi /qnC:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e72SystemMD5=0BDEAEA7BB4AE7822416CD37EA8EE00D,SHA256=5C188CE4E21FAB002B4D669F91FA19341AB4260F83D798FDAC53229D675DB6BA,IMPHASH=B4730776DFCE61DBCD10D002E3D530E1{43EB4363-57B9-60F5-DC0A-00000000E501}228C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe"C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe" install 10341000x800000000000000061639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.685{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-57B9-60F5-DC0A-00000000E501}228C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.685{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-57B9-60F5-DC0A-00000000E501}228C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.640{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57B9-60F5-DC0A-00000000E501}228C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:14.578{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\qml\QtQuick\Controls\Styles\Flat\qtquickextrasflatplugin.dll2021-07-19 10:45:14.578 10341000x800000000000000061635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.498{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E70A-00000000E501}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.485{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-E70A-00000000E501}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.485{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BA-60F5-E70A-00000000E501}5508C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.470{43EB4363-57B9-60F5-DC0A-00000000E501}228C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exeC:\Users\Administrator\AppData\Local\Temp\4D7F90B8-F05F-436A-98BD-2DA9BC03BE8A.txt2021-07-19 10:45:14.470 10341000x800000000000000061631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.431{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E60A-00000000E501}7840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.417{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-E60A-00000000E501}7840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.417{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BA-60F5-E60A-00000000E501}7840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.412{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=848C6C3E38B80713D844C0917A4E3100,SHA256=B7FE50B6E237019F4C1594FD3404E7756FA20377BE52FAFC20E7E1C26F0FA49C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.374{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E50A-00000000E501}8168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.362{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-E50A-00000000E501}8168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.362{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BA-60F5-E50A-00000000E501}8168C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.318{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E40A-00000000E501}7988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.304{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-E40A-00000000E501}7988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.304{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BA-60F5-E40A-00000000E501}7988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.275{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E30A-00000000E501}6712C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.269{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F8891EE190FD39B9873E447160EDE4,SHA256=ADB0E32812067AE3E7E87A1EC29379A3B343F88293E59296174FE38B5E72CAAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.258{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-E30A-00000000E501}6712C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.257{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BA-60F5-E30A-00000000E501}6712C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.227{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E20A-00000000E501}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.213{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-E20A-00000000E501}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.212{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BA-60F5-E20A-00000000E501}4384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.170{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E10A-00000000E501}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.158{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-E10A-00000000E501}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.158{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BA-60F5-E10A-00000000E501}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.114{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E00A-00000000E501}4372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.101{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-E00A-00000000E501}4372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.101{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BA-60F5-E00A-00000000E501}4372C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.056{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-DF0A-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.039{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57BA-60F5-DF0A-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.039{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BA-60F5-DF0A-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.986{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BB-60F5-EE0A-00000000E501}5048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.973{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57BB-60F5-EE0A-00000000E501}5048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.973{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BB-60F5-EE0A-00000000E501}5048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.919{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=ACB8BE1A9ADB64667A7C12679C373B13,SHA256=CC703D4FDBC4E3E3A71B96FFECF6B8AD7D03EEDC8B8675D109AA12271362467C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.901{43EB4363-37A7-60F5-1600-00000000E501}12727980C:\Windows\system32\svchost.exe{43EB4363-57BB-60F5-EC0A-00000000E501}7524C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+8d212|C:\Windows\system32\wbem\wmiprvsd.dll+8dfd1|C:\Windows\system32\wbem\wmiprvsd.dll+3b42f|C:\Windows\system32\wbem\wmiprvsd.dll+d4be|C:\Windows\system32\wbem\wbemcore.dll+2af4f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.856{43EB4363-57BB-60F5-EC0A-00000000E501}7524NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\wbem\wmiprvse.exeC:\Windows\INF\disk.PNFMD5=4EFFFA1A69CC68965A020830F5849EB6,SHA256=B483BF142AF92CA4090161655EEB82EBFAE5BD835896B15A5680CD0824CC2C46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.839{43EB4363-37A5-60F5-0B00-00000000E501}6242776C:\Windows\system32\lsass.exe{43EB4363-57BB-60F5-EC0A-00000000E501}7524C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.839{43EB4363-37A5-60F5-0B00-00000000E501}6242776C:\Windows\system32\lsass.exe{43EB4363-57BB-60F5-EC0A-00000000E501}7524C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.801{43EB4363-37A7-60F5-1600-00000000E501}12727980C:\Windows\system32\svchost.exe{43EB4363-57BB-60F5-EC0A-00000000E501}7524C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.798{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BB-60F5-EB0A-00000000E501}7324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.797{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.794{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.794{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.793{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.793{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.793{43EB4363-37A4-60F5-0A00-00000000E501}608668C:\Windows\system32\services.exe{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000061838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.791{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe1.0.0.0MicrosoftSearchInBingMicrosoftSearchInBing-MicrosoftSearchInBing.exe"C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=3F3B0223CBA01746962CCD3C18C39F9B,SHA256=77B990CB81CF51BF1BA80BBA23EF5F5161309F74418BAC8A3AE930EB85EF5374,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x800000000000000061837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:15.787{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MicrosoftSearchInBing\DescriptionA service to config default search engine to Bing 13241300x800000000000000061836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:15.786{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MicrosoftSearchInBing\ObjectNameLocalSystem 13241300x800000000000000061835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:15.786{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MicrosoftSearchInBing\DisplayNameMicrosoft Search in Bing 13241300x800000000000000061834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1031,T1050SetValue2021-07-19 10:45:15.786{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MicrosoftSearchInBing\ImagePath"C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe" 13241300x800000000000000061833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:15.786{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MicrosoftSearchInBing\ErrorControlDWORD (0x00000001) 13241300x800000000000000061832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1031,T1050SetValue2021-07-19 10:45:15.786{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MicrosoftSearchInBing\StartDWORD (0x00000002) 13241300x800000000000000061831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:15.786{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\MicrosoftSearchInBing\TypeDWORD (0x00000010) 254200x800000000000000061830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:45:15.781{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\UninstallService.exe2020-04-20 19:59:36.0002021-07-19 10:45:15.780 11241100x800000000000000061829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:45:15.781{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\UninstallService.exe2021-07-19 10:45:15.780 11241100x800000000000000061828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.779{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\System.Security.Cryptography.X509Certificates.dll2021-07-19 10:45:15.779 10341000x800000000000000061827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.778{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BB-60F5-EC0A-00000000E501}7524C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.777{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\System.Security.Cryptography.Primitives.dll2021-07-19 10:45:15.777 11241100x800000000000000061825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.776{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\System.Security.Cryptography.Encoding.dll2021-07-19 10:45:15.776 11241100x800000000000000061824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.774{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\System.Security.Cryptography.Algorithms.dll2021-07-19 10:45:15.774 11241100x800000000000000061823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.770{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\System.Net.Http.dll2021-07-19 10:45:15.769 11241100x800000000000000061822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.767{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\Services.dll2021-07-19 10:45:15.767 254200x800000000000000061821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:45:15.765{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\RemoveMSBextension.exe2020-04-20 20:00:56.0002021-07-19 10:45:15.764 11241100x800000000000000061820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:45:15.764{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\RemoveMSBextension.exe2021-07-19 10:45:15.764 23542300x800000000000000061819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.758{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17433D68BDD090BD086172947C988CCB,SHA256=61EC3EDDD70E014847F995F50B3441383A6116459DC929071431974E52A2AB5A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.746{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\NLog.dll2021-07-19 10:45:15.746 10341000x800000000000000061817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.746{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BB-60F5-EC0A-00000000E501}7524C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.745{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BB-60F5-EC0A-00000000E501}7524C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000061815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.581{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local64801- 354300x800000000000000061814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:13.567{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65116-false93.184.220.29-80http 10341000x800000000000000061813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.730{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.730{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.730{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000061810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.721{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\Newtonsoft.Json.dll2021-07-19 10:45:15.721 11241100x800000000000000061809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.717{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\Models.dll2021-07-19 10:45:15.717 254200x800000000000000061808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:45:15.715{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe2020-04-20 20:04:42.0002021-07-19 10:45:15.714 11241100x800000000000000061807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:45:15.714{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe2021-07-19 10:45:15.714 23542300x800000000000000061806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.713{43EB4363-5649-60F5-C808-00000000E501}4308ATTACKRANGE\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-walMD5=575087E1536E7014F961DFFE20E59EC0,SHA256=C2A147FEAE84D5232D6FF1F1412A5285E9EB36A9991A4390FCB779BE318982F1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.713{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\Messaging.dll2021-07-19 10:45:15.713 23542300x800000000000000061804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.712{43EB4363-5649-60F5-C808-00000000E501}4308ATTACKRANGE\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shmMD5=4E54EBE72A0C30BC0BF956C32FD3A31F,SHA256=FD05435AD0B3CC8BC883D5C35D7869CA47ED6654D0ABC10550D2D9E3A38CB238,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.710{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\Managers.dll2021-07-19 10:45:15.710 254200x800000000000000061802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:45:15.706{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MainExtBootStrap.exe2020-04-20 20:06:26.0002021-07-19 10:45:15.706 11241100x800000000000000061801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:45:15.706{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MainExtBootStrap.exe2021-07-19 10:45:15.706 254200x800000000000000061800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10992021-07-19 10:45:15.704{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\ExtensionNativeHost.exe2020-04-20 20:45:32.0002021-07-19 10:45:15.703 11241100x800000000000000061799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:45:15.703{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\ExtensionNativeHost.exe2021-07-19 10:45:15.703 11241100x800000000000000061798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:15.697{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeC:\Program Files (x86)\Microsoft\Microsoft Search in Bing\DefaultPackOffer.dll2021-07-19 10:45:15.696 10341000x800000000000000061797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.693{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.680{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c63c.rbsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.676{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.676{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.674{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFC0AB00F363C55517.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000061792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.672{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF3A06D0C37A0D3039.TMPMD5=7F742924C0AB1A6E789BDA5D51B6919B,SHA256=99B1AAFDB1FFB894D98610B8ECFC53CAA28E46EDB51F1B1248DC1F55B0E1DAA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.669{43EB4363-37A7-60F5-1600-00000000E501}12724104C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.669{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.649{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BB-60F5-EB0A-00000000E501}7324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000061788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.649{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BB-60F5-EB0A-00000000E501}7324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.644{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI66D1.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.570{43EB4363-56CD-60F5-F608-00000000E501}75487948C:\Windows\system32\msiexec.exe{43EB4363-57BA-60F5-E80A-00000000E501}7552C:\Windows\SysWOW64\msiexec.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\apphelp.dll+20ffd|C:\Windows\system32\apphelp.dll+209c1|C:\Windows\system32\Msi.dll+19e41d|C:\Windows\system32\Msi.dll+2eaae|C:\Windows\system32\Msi.dll+47505|C:\Windows\system32\Msi.dll+10a8c5|C:\Windows\system32\Msi.dll+109ae6|C:\Windows\system32\Msi.dll+f407f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.562{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c63a.msiMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.558{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D32F1BD0C231FECC4CF01340A1FD713D,SHA256=4A55F0AB991C186DC40C702226E1B04A10DD1034C767784509F328FB689C70FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.556{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.545{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E80A-00000000E501}7552C:\Windows\SysWOW64\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.499{43EB4363-37A7-60F5-1600-00000000E501}12724104C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E80A-00000000E501}7552C:\Windows\SysWOW64\msiexec.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.499{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-E80A-00000000E501}7552C:\Windows\SysWOW64\msiexec.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.432{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D09537200F01F8F0E8449BFC3AE67673,SHA256=1CA21622FBCD9C654AF581607EE9555AED12B391EF63F5C23443AC49C81E35AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.252{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.252{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.248{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.247{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.247{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.247{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.245{43EB4363-55C4-60F5-7E08-00000000E501}22882528C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000061771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.245{43EB4363-55C4-60F5-7E08-00000000E501}22882528C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000061770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.233{43EB4363-564B-60F5-C908-00000000E501}65766608C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4c224|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4dd30|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+584fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+57f5f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+56e48|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.220{43EB4363-564B-60F5-C908-00000000E501}65766608C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+73c87|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+7522e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+14519|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a430|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000061768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.219{43EB4363-564B-60F5-C908-00000000E501}65766608C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+2d73e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+16070|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+15184|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17233|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a40c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 23542300x800000000000000061767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.214{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D2ED72D54D1B30AE561F814BC7C5EC4,SHA256=880FB069EC04240986F24D654353B7FC91BD34E236D028AFB44D972EC8DDE929,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.203{43EB4363-55C5-60F5-8808-00000000E501}46328152C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.203{43EB4363-55C5-60F5-8808-00000000E501}46328152C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.197{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54C31E7A6921BB03CC2AE85E8764B92,SHA256=04A2EE05BE606E88AD377881CEE4D6FAFFDAF4F7262C8FE3243924F569E83178,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.194{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000061762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.193{43EB4363-55C4-60F5-7D08-00000000E501}24646100C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000061761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.192{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2a3d79|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.192{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2ca112|C:\Windows\System32\windows.storage.dll+e3b85|C:\Windows\System32\windows.storage.dll+14cd96|C:\Windows\System32\windows.storage.dll+2a3cdb|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.191{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2a3d79|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.191{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2ca112|C:\Windows\System32\windows.storage.dll+e3b85|C:\Windows\System32\windows.storage.dll+14cd96|C:\Windows\System32\windows.storage.dll+2a3cdb|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.188{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000061756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.186{43EB4363-55C4-60F5-7D08-00000000E501}24645868C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000061755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.186{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2a3d79|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.185{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2ca112|C:\Windows\System32\windows.storage.dll+e3b85|C:\Windows\System32\windows.storage.dll+14cd96|C:\Windows\System32\windows.storage.dll+2a3cdb|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.185{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2a3d79|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.184{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2ca112|C:\Windows\System32\windows.storage.dll+e3b85|C:\Windows\System32\windows.storage.dll+14cd96|C:\Windows\System32\windows.storage.dll+2a3cdb|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.179{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.179{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000061749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.179{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.178{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x800000000000000061747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.178{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.178{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000061745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.178{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.178{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x800000000000000061743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.177{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.176{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000061741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.176{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.176{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x800000000000000061739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.172{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.168{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000061737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.168{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000061736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.165{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.165{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000061734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.165{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.165{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x800000000000000061732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.164{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.163{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.163{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.152{43EB4363-55C4-60F5-7D08-00000000E501}24645868C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\shcore.dll+35576|C:\Windows\System32\shcore.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000061728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.150{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2a3d79|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.149{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+2ca112|C:\Windows\System32\windows.storage.dll+e3b85|C:\Windows\System32\windows.storage.dll+14cd96|C:\Windows\System32\windows.storage.dll+2a3cdb|C:\Windows\System32\windows.storage.dll+14d4b3|C:\Windows\System32\windows.storage.dll+14d52a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.147{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.147{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.141{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.141{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000061722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.141{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.141{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x800000000000000061720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.140{43EB4363-55C4-60F5-7D08-00000000E501}24645868C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\combase.dll+251f2|C:\Windows\System32\combase.dll+25b1e|C:\Windows\System32\combase.dll+258df|C:\Windows\System32\combase.dll+59288|C:\Windows\System32\combase.dll+58ea0|C:\Windows\System32\combase.dll+66087|C:\Windows\System32\combase.dll+c2554|C:\Windows\System32\combase.dll+62f11|C:\Windows\System32\combase.dll+646f0|C:\Windows\System32\combase.dll+217a|C:\Windows\System32\RPCRT4.dll+da374|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x800000000000000061719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.137{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A8DC6238EA7F4A22C70C55F563AD90,SHA256=5F9339B18E1833580776FC22C4D801D9B6D9C61622A640B26197F61D68DA1462,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.132{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+df6f3|C:\Windows\System32\windows.storage.dll+dee61|C:\Windows\System32\windows.storage.dll+ded75|C:\Windows\System32\windows.storage.dll+ded0e|C:\Windows\System32\windows.storage.dll+5ba79|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 10341000x800000000000000061717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.132{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e1ef3|C:\Windows\System32\windows.storage.dll+5b8f0|C:\Windows\System32\windows.storage.dll+5b847|C:\Windows\System32\windows.storage.dll+5ba17|C:\Windows\System32\windows.storage.dll+13a3a6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000061716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.131{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+e3c87|C:\Windows\System32\windows.storage.dll+13a465|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000061715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.131{43EB4363-55C4-60F5-7D08-00000000E501}24648128C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+13a439|C:\Windows\System32\windows.storage.dll+13a388|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.storage.dll+e4fdc 10341000x800000000000000061714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.131{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.131{43EB4363-55C4-60F5-7D08-00000000E501}24645868C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+b7f48|C:\Windows\System32\windows.storage.dll+1a2cf9|C:\Windows\System32\windows.storage.dll+1a2b55|C:\Windows\System32\windows.storage.dll+b8ca6|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000061712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.130{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.126{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.126{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.125{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.124{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.123{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.123{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.121{43EB4363-55C5-60F5-8808-00000000E501}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-explorer-notification--d1f6275c-b9a0-a25e-7f73-51b54487be4c-_7_0.pngMD5=00E5FCFD833151F7CBDE607E2F7AFEB4,SHA256=B80192AAABE007BAECD0603E3CE183E9D554B8A6B0411D20716ACFA086AE3035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.109{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.109{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.103{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.102{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.102{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.101{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.100{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.096{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.097{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.096{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.096{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.096{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.096{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.096{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000061690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.095{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.094{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.092{43EB4363-55C5-60F5-8808-00000000E501}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-explorer-notification--d1f6275c-b9a0-a25e-7f73-51b54487be4c-_6_0.pngMD5=00E5FCFD833151F7CBDE607E2F7AFEB4,SHA256=B80192AAABE007BAECD0603E3CE183E9D554B8A6B0411D20716ACFA086AE3035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.090{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.089{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.088{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.082{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.083{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B48EFDC1534BA0519BA8289C1B984E8D,SHA256=97156B7AC66F6973657F6540A70AF6D5C428809B142251984CE960303B785005,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.082{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.076{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1783C7A765FEC03D47DEE2E96707A237,SHA256=DBF4D83BE454D0499AA580B911AB29AB0A9068E6E073BF963AAD0100F219D310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.073{43EB4363-564B-60F5-C908-00000000E501}65766608C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-57BA-60F5-E90A-00000000E501}7920C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonx64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+976c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000061679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.072{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=76F8EC67854D1C82F021C53CB921D2BC,SHA256=E3FC30194E6C417E1D4D958E5E8C7A1908700A1E3C302CFCBF008D0103770E88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.068{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.067{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.062{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.062{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.062{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.061{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.061{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.060{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000061670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.053{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57BA-60F5-EA0A-00000000E501}6920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000062337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.314{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\BinProductVersion2.32.0.2 13241300x800000000000000062336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.314{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\LinkDate07/06/2021 19:09:00 13241300x800000000000000062335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.314{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\Publisherthe git development community 13241300x800000000000000062334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.314{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cherry-pick.|997eacdc80577639\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cherry-pick.exe 13241300x800000000000000062333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.314{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\BinProductVersion2.32.0.2 13241300x800000000000000062332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.314{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\LinkDate07/06/2021 19:09:00 13241300x800000000000000062331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.314{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\Publisherthe git development community 13241300x800000000000000062330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.313{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout.exe|76b55428c67a380b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout.exe 13241300x800000000000000062329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.313{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\BinProductVersion2.32.0.2 13241300x800000000000000062328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.313{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\LinkDate07/06/2021 19:09:00 13241300x800000000000000062327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.313{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\Publisherthe git development community 13241300x800000000000000062326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.313{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout-ind|7b051b3e6750a804\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout-index.exe 13241300x800000000000000062325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.313{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\BinProductVersion2.32.0.2 13241300x800000000000000062324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.313{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\LinkDate07/06/2021 19:09:00 13241300x800000000000000062323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.313{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\Publisherthe git development community 13241300x800000000000000062322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.313{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-checkout--wo|5e17ac3afeabc004\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-checkout--worker.exe 13241300x800000000000000062321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.312{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\BinProductVersion2.32.0.2 13241300x800000000000000062320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.312{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\LinkDate07/06/2021 19:09:00 13241300x800000000000000062319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.312{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\Publisherthe git development community 13241300x800000000000000062318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.312{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-ref-fo|4c4aae0ebfb00b85\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-ref-format.exe 13241300x800000000000000062317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.312{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\BinProductVersion2.32.0.2 13241300x800000000000000062316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.312{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\LinkDate07/06/2021 19:09:00 13241300x800000000000000062315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.312{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\Publisherthe git development community 13241300x800000000000000062314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.312{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-mailma|ed52c712797b00dc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-mailmap.exe 13241300x800000000000000062313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.311{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\BinProductVersion2.32.0.2 13241300x800000000000000062312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.311{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\LinkDate07/06/2021 19:09:00 13241300x800000000000000062311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.311{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\Publisherthe git development community 13241300x800000000000000062310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.311{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-ignore|9bc04723247ac2dd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-ignore.exe 13241300x800000000000000062309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.311{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\BinProductVersion2.32.0.2 13241300x800000000000000062308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.311{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\LinkDate07/06/2021 19:09:00 13241300x800000000000000062307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.311{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\Publisherthe git development community 13241300x800000000000000062306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.311{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-check-attr.e|57c1145da335bf27\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-check-attr.exe 13241300x800000000000000062305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.310{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\BinProductVersion2.32.0.2 13241300x800000000000000062304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.310{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\LinkDate07/06/2021 19:09:00 13241300x800000000000000062303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.310{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\Publisherthe git development community 13241300x800000000000000062302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.310{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cat-file.exe|d0e6669a50eba4df\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cat-file.exe 13241300x800000000000000062301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.310{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\BinProductVersion2.32.0.2 13241300x800000000000000062300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.310{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\LinkDate07/06/2021 19:09:00 13241300x800000000000000062299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.310{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\Publisherthe git development community 13241300x800000000000000062298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.310{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bundle.exe|fac576bd3a94d60b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bundle.exe 13241300x800000000000000062297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.310{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\BinProductVersion2.32.0.2 13241300x800000000000000062296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.309{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\LinkDate07/06/2021 19:09:00 13241300x800000000000000062295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.309{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\Publisherthe git development community 13241300x800000000000000062294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.309{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bugreport.ex|59a0df6a91883120\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bugreport.exe 13241300x800000000000000062293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.309{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\BinProductVersion2.32.0.2 13241300x800000000000000062292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.309{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\LinkDate07/06/2021 19:09:00 13241300x800000000000000062291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.309{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\Publisherthe git development community 13241300x800000000000000062290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.309{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-branch.exe|60e03a3ca4e1184b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-branch.exe 13241300x800000000000000062289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.309{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\BinProductVersion2.32.0.2 13241300x800000000000000062288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.309{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\LinkDate07/06/2021 19:09:00 13241300x800000000000000062287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.308{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\Publisherthe git development community 13241300x800000000000000062286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.308{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-blame.exe|695e1b21d217f64a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-blame.exe 13241300x800000000000000062285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.308{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\BinProductVersion2.32.0.2 13241300x800000000000000062284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.308{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\LinkDate07/06/2021 19:09:00 13241300x800000000000000062283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.308{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\Publisherthe git development community 13241300x800000000000000062282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.308{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bisect--help|2b85661c358f83f3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-bisect--helper.exe 13241300x800000000000000062281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.308{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\BinProductVersion2.32.0.2 13241300x800000000000000062280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.308{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\LinkDate07/06/2021 19:01:04 13241300x800000000000000062279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.308{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\Publisherthe git development community 13241300x800000000000000062278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.307{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-bash.exe|bb55e09d0018cc9\LowerCaseLongPathc:\program files\git\git-bash.exe 13241300x800000000000000062277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.307{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\BinProductVersion(Empty) 13241300x800000000000000062276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.307{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\LinkDate01/01/1970 00:00:00 13241300x800000000000000062275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.307{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\Publisher(Empty) 13241300x800000000000000062274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.307{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-askyesno.exe|307382c653791a6b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-askyesno.exe 13241300x800000000000000062273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.307{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\BinProductVersion1.20.0.0 13241300x800000000000000062272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.307{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\LinkDate09/06/2019 12:59:42 13241300x800000000000000062271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.306{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\Publishermicrosoft corporation 13241300x800000000000000062270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.306{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-askpass.exe|ac0f34128b42387d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-askpass.exe 13241300x800000000000000062269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.306{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\BinProductVersion2.32.0.2 13241300x800000000000000062268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.306{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\LinkDate07/06/2021 19:09:00 13241300x800000000000000062267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.306{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\Publisherthe git development community 13241300x800000000000000062266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.306{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-archive.exe|36a80009064dc962\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-archive.exe 13241300x800000000000000062265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.305{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\BinProductVersion2.32.0.2 13241300x800000000000000062264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.305{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\LinkDate07/06/2021 19:09:00 13241300x800000000000000062263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.305{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\Publisherthe git development community 13241300x800000000000000062262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.305{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-apply.exe|12e49d92e436268f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-apply.exe 13241300x800000000000000062261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.305{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\BinProductVersion2.32.0.2 13241300x800000000000000062260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.305{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\LinkDate07/06/2021 19:09:00 13241300x800000000000000062259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.305{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\Publisherthe git development community 13241300x800000000000000062258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.305{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-annotate.exe|a44a56d360566d96\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-annotate.exe 13241300x800000000000000062257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.305{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\BinProductVersion2.32.0.2 13241300x800000000000000062256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.304{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\LinkDate07/06/2021 19:09:00 13241300x800000000000000062255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.304{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\Publisherthe git development community 13241300x800000000000000062254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.304{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-am.exe|4f482c30f10b83a7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-am.exe 13241300x800000000000000062253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.304{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\BinProductVersion2.32.0.2 13241300x800000000000000062252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.304{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\LinkDate07/06/2021 19:09:00 13241300x800000000000000062251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.304{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\Publisherthe git development community 13241300x800000000000000062250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.304{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-add.exe|cbf55eec74d083b3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-add.exe 13241300x800000000000000062249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.304{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\BinProductVersion(Empty) 13241300x800000000000000062248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.303{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\LinkDate01/01/1970 00:00:00 13241300x800000000000000062247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.303{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\Publisher(Empty) 13241300x800000000000000062246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.303{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gio-querymodules|c9cec5f8077b3334\LowerCaseLongPathc:\program files\git\usr\bin\gio-querymodules.exe 13241300x800000000000000062245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.303{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\BinProductVersion0.19.8.0 13241300x800000000000000062244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.303{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\LinkDate01/01/1970 04:44:00 13241300x800000000000000062243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.303{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\Publisherfree software foundation 13241300x800000000000000062242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.303{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gettext.exe|8596cb6c6d32afb4\LowerCaseLongPathc:\program files\git\usr\bin\gettext.exe 13241300x800000000000000062241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.303{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\BinProductVersion0.19.8.0 13241300x800000000000000062240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.303{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\LinkDate01/01/1970 00:00:00 13241300x800000000000000062239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.303{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\Publisherfree software foundation 13241300x800000000000000062238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.302{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gettext.exe|3980488749a39656\LowerCaseLongPathc:\program files\git\mingw64\bin\gettext.exe 13241300x800000000000000062237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.302{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\BinProductVersion(Empty) 13241300x800000000000000062236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.302{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\LinkDate03/26/2021 22:24:41 13241300x800000000000000062235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.302{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\Publisher(Empty) 13241300x800000000000000062234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.302{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getprocaddr64.ex|683e30977215239e\LowerCaseLongPathc:\program files\git\usr\libexec\getprocaddr64.exe 13241300x800000000000000062233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.302{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\BinProductVersion(Empty) 13241300x800000000000000062232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.302{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\LinkDate03/26/2021 22:24:41 13241300x800000000000000062231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.302{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\Publisher(Empty) 13241300x800000000000000062230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.302{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getprocaddr32.ex|11de5925d9c6baa7\LowerCaseLongPathc:\program files\git\usr\libexec\getprocaddr32.exe 13241300x800000000000000062229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.301{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\BinProductVersion(Empty) 13241300x800000000000000062228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.301{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\LinkDate01/01/1970 00:00:00 13241300x800000000000000062227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.301{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\Publisher(Empty) 13241300x800000000000000062226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.301{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getopt.exe|b37205341d75e599\LowerCaseLongPathc:\program files\git\usr\bin\getopt.exe 13241300x800000000000000062225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.301{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\BinProductVersion(Empty) 13241300x800000000000000062224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.301{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\LinkDate03/26/2021 22:24:39 13241300x800000000000000062223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.301{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\Publisher(Empty) 13241300x800000000000000062222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.301{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getfacl.exe|69b0f93924f494f7\LowerCaseLongPathc:\program files\git\usr\bin\getfacl.exe 13241300x800000000000000062221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.300{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\BinProductVersion(Empty) 13241300x800000000000000062220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.300{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\LinkDate03/26/2021 22:24:39 13241300x800000000000000062219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.300{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\Publisher(Empty) 13241300x800000000000000062218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.300{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\getconf.exe|c7f6d864684a6d19\LowerCaseLongPathc:\program files\git\usr\bin\getconf.exe 13241300x800000000000000062217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.300{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\BinProductVersion(Empty) 13241300x800000000000000062216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.300{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\LinkDate03/26/2021 22:24:39 13241300x800000000000000062215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.300{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\Publisher(Empty) 13241300x800000000000000062214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.300{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gencat.exe|89f29a911ad31f09\LowerCaseLongPathc:\program files\git\usr\bin\gencat.exe 13241300x800000000000000062213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.299{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\BinProductVersion(Empty) 13241300x800000000000000062212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.299{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\LinkDate01/01/1970 00:00:00 13241300x800000000000000062211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.299{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\Publisher(Empty) 13241300x800000000000000062210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.299{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gdbus.exe|bf2693ac7275e90\LowerCaseLongPathc:\program files\git\usr\bin\gdbus.exe 13241300x800000000000000062209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.299{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\BinProductVersion(Empty) 13241300x800000000000000062208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.299{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\LinkDate01/01/1970 00:00:00 13241300x800000000000000062207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.299{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\Publisher(Empty) 13241300x800000000000000062206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.299{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gawk.exe|33613608746cae13\LowerCaseLongPathc:\program files\git\usr\bin\gawk.exe 13241300x800000000000000062205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.298{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\BinProductVersion(Empty) 13241300x800000000000000062204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.298{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\LinkDate01/01/1970 00:00:00 13241300x800000000000000062203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.298{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\Publisher(Empty) 13241300x800000000000000062202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.298{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gawk-5.0.0.exe|709e9d005b0b4928\LowerCaseLongPathc:\program files\git\usr\bin\gawk-5.0.0.exe 13241300x800000000000000062201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.298{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\BinProductVersion(Empty) 13241300x800000000000000062200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.298{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\LinkDate01/01/1970 00:00:00 13241300x800000000000000062199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.298{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\Publisher(Empty) 13241300x800000000000000062198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.298{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gapplication.exe|4ee0a6aaade17793\LowerCaseLongPathc:\program files\git\usr\bin\gapplication.exe 13241300x800000000000000062197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.297{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\BinProductVersion(Empty) 13241300x800000000000000062196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.297{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\LinkDate05/08/2031 18:06:26 13241300x800000000000000062195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.297{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\Publisher(Empty) 13241300x800000000000000062194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.297{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\funzip.exe|8d9537366e67e65c\LowerCaseLongPathc:\program files\git\usr\bin\funzip.exe 13241300x800000000000000062193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.297{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\BinProductVersion(Empty) 13241300x800000000000000062192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.297{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\LinkDate01/01/1970 00:00:00 13241300x800000000000000062191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.296{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\Publisher(Empty) 13241300x800000000000000062190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.296{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\frcode.exe|c02ff0fb50c67deb\LowerCaseLongPathc:\program files\git\usr\libexec\frcode.exe 13241300x800000000000000062189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.296{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\BinProductVersion(Empty) 13241300x800000000000000062188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.296{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\LinkDate01/01/1970 00:00:00 13241300x800000000000000062187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.296{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\Publisher(Empty) 13241300x800000000000000062186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.296{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fold.exe|84163f1e2201dd71\LowerCaseLongPathc:\program files\git\usr\bin\fold.exe 13241300x800000000000000062185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.296{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\BinProductVersion(Empty) 13241300x800000000000000062184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.296{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\LinkDate01/01/1970 00:00:00 13241300x800000000000000062183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.296{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\Publisher(Empty) 13241300x800000000000000062182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.296{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fmt.exe|74780154d3c66e14\LowerCaseLongPathc:\program files\git\usr\bin\fmt.exe 13241300x800000000000000062181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.295{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\BinProductVersion(Empty) 13241300x800000000000000062180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.295{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\LinkDate01/01/1970 00:00:00 13241300x800000000000000062179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.295{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\Publisher(Empty) 13241300x800000000000000062178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.295{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\find.exe|d79fa77470677f17\LowerCaseLongPathc:\program files\git\usr\bin\find.exe 354300x800000000000000062177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:14.616{43EB4363-57B9-60F5-DC0A-00000000E501}228C:\ProgramData\Microsoft\DefaultPackMSI\MainBootStrap.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65117-false13.107.6.158bingforbusiness.com443https 13241300x800000000000000062176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.295{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\BinProductVersion(Empty) 13241300x800000000000000062175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.295{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\LinkDate01/01/1970 00:00:00 13241300x800000000000000062174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.295{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\Publisher(Empty) 13241300x800000000000000062173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.295{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\file.exe|9412a967e2d15f0f\LowerCaseLongPathc:\program files\git\usr\bin\file.exe 13241300x800000000000000062172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.295{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\BinProductVersion(Empty) 13241300x800000000000000062171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.294{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\LinkDate01/01/1970 00:00:00 13241300x800000000000000062170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.294{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\Publisher(Empty) 13241300x800000000000000062169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.294{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-token.exe|a3c5680a4f7259a\LowerCaseLongPathc:\program files\git\usr\bin\fido2-token.exe 13241300x800000000000000062168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.294{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\BinProductVersion(Empty) 13241300x800000000000000062167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.294{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\LinkDate01/01/1970 00:00:00 13241300x800000000000000062166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.294{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\Publisher(Empty) 13241300x800000000000000062165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.294{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-cred.exe|c2222f8371b081a5\LowerCaseLongPathc:\program files\git\usr\bin\fido2-cred.exe 13241300x800000000000000062164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.294{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\BinProductVersion(Empty) 13241300x800000000000000062163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.294{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\LinkDate01/01/1970 00:00:00 13241300x800000000000000062162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.293{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\Publisher(Empty) 13241300x800000000000000062161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.293{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fido2-assert.exe|94d2ea2ef1445ec9\LowerCaseLongPathc:\program files\git\usr\bin\fido2-assert.exe 13241300x800000000000000062160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.293{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\BinProductVersion(Empty) 13241300x800000000000000062159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.293{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\LinkDate01/01/1970 00:00:00 13241300x800000000000000062158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.293{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\Publisher(Empty) 13241300x800000000000000062157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.293{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\false.exe|8d9fec6786dfc816\LowerCaseLongPathc:\program files\git\usr\bin\false.exe 13241300x800000000000000062156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.293{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\BinProductVersion(Empty) 13241300x800000000000000062155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.293{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\LinkDate01/01/1970 00:00:00 13241300x800000000000000062154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.293{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\Publisher(Empty) 13241300x800000000000000062153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.293{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\factor.exe|b56619397de59334\LowerCaseLongPathc:\program files\git\usr\bin\factor.exe 13241300x800000000000000062152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.292{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\BinProductVersion(Empty) 13241300x800000000000000062151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.292{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\LinkDate01/01/1970 00:00:00 13241300x800000000000000062150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.292{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\Publisher(Empty) 13241300x800000000000000062149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.292{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\expr.exe|2052e3951d88a155\LowerCaseLongPathc:\program files\git\usr\bin\expr.exe 13241300x800000000000000062148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.292{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\BinProductVersion(Empty) 13241300x800000000000000062147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.292{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\LinkDate01/01/1970 00:00:00 13241300x800000000000000062146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.292{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\Publisher(Empty) 13241300x800000000000000062145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.292{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\expand.exe|48fc5987fb05c50d\LowerCaseLongPathc:\program files\git\usr\bin\expand.exe 13241300x800000000000000062144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.291{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\BinProductVersion(Empty) 13241300x800000000000000062143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.291{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\LinkDate01/01/1970 00:00:00 13241300x800000000000000062142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.291{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\Publisher(Empty) 13241300x800000000000000062141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.291{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ex.exe|a5705edbed8fc6c4\LowerCaseLongPathc:\program files\git\usr\bin\ex.exe 13241300x800000000000000062140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.291{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\BinProductVersion0.19.8.0 13241300x800000000000000062139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.291{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\LinkDate01/01/1970 00:00:00 13241300x800000000000000062138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.291{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\Publisherfree software foundation 13241300x800000000000000062137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.291{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\envsubst.exe|eadcd0623e89b9ae\LowerCaseLongPathc:\program files\git\mingw64\bin\envsubst.exe 13241300x800000000000000062136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.291{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\BinProductVersion0.19.8.0 13241300x800000000000000062135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.291{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\LinkDate12/01/2031 01:05:42 13241300x800000000000000062134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.290{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\Publisherfree software foundation 13241300x800000000000000062133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.290{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\envsubst.exe|660c72e4fd95bfd4\LowerCaseLongPathc:\program files\git\usr\bin\envsubst.exe 13241300x800000000000000062132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.290{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\BinProductVersion(Empty) 13241300x800000000000000062131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.290{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\LinkDate01/01/1970 00:00:00 13241300x800000000000000062130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.290{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\Publisher(Empty) 13241300x800000000000000062129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.290{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\env.exe|7508509d7b06f998\LowerCaseLongPathc:\program files\git\usr\bin\env.exe 13241300x800000000000000062128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.290{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\BinProductVersion(Empty) 13241300x800000000000000062127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.290{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\LinkDate01/01/1970 00:00:00 13241300x800000000000000062126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.289{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\Publisher(Empty) 13241300x800000000000000062125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.289{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit_test_dll.ex|2cd5024859c22e2e\LowerCaseLongPathc:\program files\git\mingw64\bin\edit_test_dll.exe 13241300x800000000000000062124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.289{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\BinProductVersion(Empty) 13241300x800000000000000062123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.289{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\LinkDate01/01/1970 00:00:00 13241300x800000000000000062122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.289{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\Publisher(Empty) 13241300x800000000000000062121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.289{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit_test.exe|e47ad3e671162baa\LowerCaseLongPathc:\program files\git\mingw64\bin\edit_test.exe 13241300x800000000000000062120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.289{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\BinProductVersion(Empty) 13241300x800000000000000062119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.289{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\LinkDate07/06/2021 19:01:04 13241300x800000000000000062118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.289{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\Publisher(Empty) 13241300x800000000000000062117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.288{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\edit-git-bash.ex|c4b83d4312564a9\LowerCaseLongPathc:\program files\git\mingw64\share\git\edit-git-bash.exe 13241300x800000000000000062116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.288{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\echo.exe|263446599120623a\BinProductVersion(Empty) 13241300x800000000000000062115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.288{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\echo.exe|263446599120623a\LinkDate01/01/1970 00:00:00 13241300x800000000000000062114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.288{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\echo.exe|263446599120623a\Publisher(Empty) 13241300x800000000000000062113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.288{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\echo.exe|263446599120623a\LowerCaseLongPathc:\program files\git\usr\bin\echo.exe 13241300x800000000000000062112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.288{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\BinProductVersion(Empty) 13241300x800000000000000062111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.288{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\LinkDate01/01/1970 00:00:00 13241300x800000000000000062110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.288{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\Publisher(Empty) 13241300x800000000000000062109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.288{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dumpsexp.exe|45a2659c07e3df2c\LowerCaseLongPathc:\program files\git\usr\bin\dumpsexp.exe 13241300x800000000000000062108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.287{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\BinProductVersion(Empty) 13241300x800000000000000062107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.287{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\LinkDate01/01/1970 00:00:00 13241300x800000000000000062106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.287{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\Publisher(Empty) 13241300x800000000000000062105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.287{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\du.exe|2b10b32847099da7\LowerCaseLongPathc:\program files\git\usr\bin\du.exe 13241300x800000000000000062104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.287{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\BinProductVersion(Empty) 13241300x800000000000000062103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.287{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\LinkDate01/01/1970 00:00:00 13241300x800000000000000062102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.287{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\Publisher(Empty) 13241300x800000000000000062101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.287{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dos2unix.exe|e819f56941027f1c\LowerCaseLongPathc:\program files\git\usr\bin\dos2unix.exe 13241300x800000000000000062100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.287{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\BinProductVersion(Empty) 13241300x800000000000000062099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.287{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\LinkDate01/01/1970 00:00:00 13241300x800000000000000062098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.286{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\Publisher(Empty) 13241300x800000000000000062097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.286{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirname.exe|b029038512034ced\LowerCaseLongPathc:\program files\git\usr\bin\dirname.exe 13241300x800000000000000062096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.286{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\BinProductVersion(Empty) 13241300x800000000000000062095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.286{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\LinkDate01/01/1970 00:00:00 13241300x800000000000000062094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.286{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\Publisher(Empty) 13241300x800000000000000062093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.286{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirmngr.exe|fe24969724873327\LowerCaseLongPathc:\program files\git\usr\bin\dirmngr.exe 13241300x800000000000000062092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.286{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\BinProductVersion(Empty) 13241300x800000000000000062091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.286{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\LinkDate01/01/1970 00:00:00 13241300x800000000000000062090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.286{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\Publisher(Empty) 13241300x800000000000000062089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.285{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dirmngr-client.e|d59c8fc399717975\LowerCaseLongPathc:\program files\git\usr\bin\dirmngr-client.exe 13241300x800000000000000062088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.285{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\BinProductVersion(Empty) 13241300x800000000000000062087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.285{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\LinkDate01/01/1970 00:00:00 13241300x800000000000000062086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.285{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\Publisher(Empty) 13241300x800000000000000062085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.285{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dircolors.exe|2c054bf1c4846ccd\LowerCaseLongPathc:\program files\git\usr\bin\dircolors.exe 13241300x800000000000000062084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.285{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\BinProductVersion(Empty) 13241300x800000000000000062083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.285{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\LinkDate01/01/1970 00:00:00 13241300x800000000000000062082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.285{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\Publisher(Empty) 13241300x800000000000000062081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.285{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dir.exe|100b2e6a725becca\LowerCaseLongPathc:\program files\git\usr\bin\dir.exe 13241300x800000000000000062080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.284{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\BinProductVersion(Empty) 13241300x800000000000000062079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.284{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\LinkDate01/01/1970 00:00:00 13241300x800000000000000062078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.284{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\Publisher(Empty) 13241300x800000000000000062077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.284{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\diff3.exe|db0f57bb42b2e275\LowerCaseLongPathc:\program files\git\usr\bin\diff3.exe 13241300x800000000000000062076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.284{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\BinProductVersion(Empty) 13241300x800000000000000062075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.284{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\LinkDate01/01/1970 00:00:00 13241300x800000000000000062074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.284{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\Publisher(Empty) 13241300x800000000000000062073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.284{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\diff.exe|c7ecb5c4d9c537e1\LowerCaseLongPathc:\program files\git\usr\bin\diff.exe 13241300x800000000000000062072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.283{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\BinProductVersion(Empty) 13241300x800000000000000062071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.283{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\LinkDate01/01/1970 00:00:00 13241300x800000000000000062070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.283{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\Publisher(Empty) 13241300x800000000000000062069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.283{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\df.exe|65dd80792ce5f665\LowerCaseLongPathc:\program files\git\usr\bin\df.exe 13241300x800000000000000062068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.283{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\BinProductVersion(Empty) 13241300x800000000000000062067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.283{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\LinkDate01/01/1970 00:00:00 13241300x800000000000000062066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.283{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\Publisher(Empty) 13241300x800000000000000062065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.283{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dd.exe|d6bffb363596af3e\LowerCaseLongPathc:\program files\git\usr\bin\dd.exe 13241300x800000000000000062064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.283{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\BinProductVersion(Empty) 13241300x800000000000000062063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.283{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\LinkDate01/01/1970 00:00:00 13241300x800000000000000062062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.282{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\Publisher(Empty) 13241300x800000000000000062061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.282{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\date.exe|15400b5e3ba75572\LowerCaseLongPathc:\program files\git\usr\bin\date.exe 13241300x800000000000000062060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.282{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\BinProductVersion(Empty) 13241300x800000000000000062059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.282{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\LinkDate01/01/1970 00:00:00 13241300x800000000000000062058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.282{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\Publisher(Empty) 13241300x800000000000000062057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.282{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dash.exe|d7e7d55ce6ee5457\LowerCaseLongPathc:\program files\git\usr\bin\dash.exe 13241300x800000000000000062056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.282{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\BinProductVersion(Empty) 13241300x800000000000000062055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.282{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\LinkDate01/01/1970 00:00:00 13241300x800000000000000062054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.282{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\Publisher(Empty) 13241300x800000000000000062053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.281{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\d2u.exe|9a42254ebeca6f7a\LowerCaseLongPathc:\program files\git\usr\bin\d2u.exe 13241300x800000000000000062052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.281{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\BinProductVersion(Empty) 13241300x800000000000000062051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.281{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\LinkDate03/26/2021 22:24:41 13241300x800000000000000062050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.281{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\Publisher(Empty) 13241300x800000000000000062049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.281{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygwin-console-h|5323f22aa324e252\LowerCaseLongPathc:\program files\git\usr\bin\cygwin-console-helper.exe 13241300x800000000000000062048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.281{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\BinProductVersion(Empty) 13241300x800000000000000062047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.281{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\LinkDate03/26/2021 22:24:39 13241300x800000000000000062046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.281{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\Publisher(Empty) 13241300x800000000000000062045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.281{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygpath.exe|89e407d49466bcd8\LowerCaseLongPathc:\program files\git\usr\bin\cygpath.exe 13241300x800000000000000062044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.280{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\BinProductVersion(Empty) 13241300x800000000000000062043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.280{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\LinkDate03/26/2021 22:24:41 13241300x800000000000000062042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.280{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\Publisher(Empty) 13241300x800000000000000062041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.280{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cygcheck.exe|6a2038f6387fe2d8\LowerCaseLongPathc:\program files\git\usr\bin\cygcheck.exe 13241300x800000000000000062040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.280{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\BinProductVersion(Empty) 13241300x800000000000000062039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.280{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\LinkDate01/01/1970 00:00:00 13241300x800000000000000062038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.280{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\Publisher(Empty) 13241300x800000000000000062037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.280{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cut.exe|19b3f09ad648b49b\LowerCaseLongPathc:\program files\git\usr\bin\cut.exe 13241300x800000000000000062036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.280{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\BinProductVersion(Empty) 13241300x800000000000000062035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.280{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\LinkDate06/25/2021 16:02:46 13241300x800000000000000062034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.279{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\Publisher(Empty) 13241300x800000000000000062033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.279{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\curl.exe|34ac32e380c639e7\LowerCaseLongPathc:\program files\git\mingw64\bin\curl.exe 13241300x800000000000000062032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.279{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\BinProductVersion(Empty) 13241300x800000000000000062031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.279{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\LinkDate01/01/1970 00:00:00 13241300x800000000000000062030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.279{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\Publisher(Empty) 13241300x800000000000000062029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.279{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\csplit.exe|86edd40dc8e531c1\LowerCaseLongPathc:\program files\git\usr\bin\csplit.exe 13241300x800000000000000062028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.279{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\BinProductVersion(Empty) 13241300x800000000000000062027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.279{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\LinkDate01/01/1970 00:00:00 13241300x800000000000000062026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.279{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\Publisher(Empty) 13241300x800000000000000062025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.279{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\create-shortcut.|7be1e57c6a9b6d74\LowerCaseLongPathc:\program files\git\mingw64\bin\create-shortcut.exe 13241300x800000000000000062024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.278{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\BinProductVersion(Empty) 13241300x800000000000000062023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.278{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\LinkDate01/01/1970 00:00:00 13241300x800000000000000062022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.278{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\Publisher(Empty) 13241300x800000000000000062021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.278{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cp.exe|a9aa2ba1cc55a1d1\LowerCaseLongPathc:\program files\git\usr\bin\cp.exe 13241300x800000000000000062020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.278{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\BinProductVersion(Empty) 13241300x800000000000000062019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.278{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\LinkDate01/01/1970 00:00:00 13241300x800000000000000062018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.278{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\Publisher(Empty) 13241300x800000000000000062017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.278{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\connect.exe|98a1b69f7698c1b1\LowerCaseLongPathc:\program files\git\mingw64\bin\connect.exe 13241300x800000000000000062016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.278{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\BinProductVersion2.32.0.2 13241300x800000000000000062015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.278{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\LinkDate07/06/2021 19:01:05 13241300x800000000000000062014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.277{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\Publisherthe git development community 13241300x800000000000000062013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.277{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\compat-bash.exe|2353d7f66f7d8a47\LowerCaseLongPathc:\program files\git\mingw64\share\git\compat-bash.exe 13241300x800000000000000062012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.277{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\BinProductVersion(Empty) 13241300x800000000000000062011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.277{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\LinkDate01/01/1970 00:00:00 13241300x800000000000000062010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.277{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\Publisher(Empty) 13241300x800000000000000062009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.277{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\comm.exe|9b9df3e9f04bb630\LowerCaseLongPathc:\program files\git\usr\bin\comm.exe 13241300x800000000000000062008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.277{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\BinProductVersion(Empty) 13241300x800000000000000062007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.277{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\LinkDate01/01/1970 00:00:00 13241300x800000000000000062006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.277{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\Publisher(Empty) 13241300x800000000000000062005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.276{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\column.exe|a0a6e93c07d1168\LowerCaseLongPathc:\program files\git\usr\bin\column.exe 13241300x800000000000000062004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.276{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\BinProductVersion(Empty) 13241300x800000000000000062003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.276{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\LinkDate01/01/1970 00:00:00 13241300x800000000000000062002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.276{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\Publisher(Empty) 13241300x800000000000000062001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.276{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cmp.exe|de6ed9764cfeeb7f\LowerCaseLongPathc:\program files\git\usr\bin\cmp.exe 13241300x800000000000000062000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.276{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\BinProductVersion(Empty) 13241300x800000000000000061999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.276{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\LinkDate01/01/1970 00:00:00 13241300x800000000000000061998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.276{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\Publisher(Empty) 13241300x800000000000000061997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.276{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\clear.exe|23d1f6608a1d3194\LowerCaseLongPathc:\program files\git\usr\bin\clear.exe 13241300x800000000000000061996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.275{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\BinProductVersion(Empty) 13241300x800000000000000061995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.275{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\LinkDate10/26/1974 18:18:40 13241300x800000000000000061994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.275{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\Publisher(Empty) 13241300x800000000000000061993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.275{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cldr-plurals.exe|acec4b705bc23965\LowerCaseLongPathc:\program files\git\usr\lib\gettext\cldr-plurals.exe 13241300x800000000000000061992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.275{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\BinProductVersion(Empty) 13241300x800000000000000061991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.275{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\LinkDate01/01/1970 00:00:00 13241300x800000000000000061990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.275{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\Publisher(Empty) 13241300x800000000000000061989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.275{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cksum.exe|877b1cc41ae31cae\LowerCaseLongPathc:\program files\git\usr\bin\cksum.exe 13241300x800000000000000061988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.275{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\BinProductVersion(Empty) 13241300x800000000000000061987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.275{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\LinkDate01/01/1970 00:00:00 13241300x800000000000000061986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.274{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\Publisher(Empty) 13241300x800000000000000061985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.274{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chroot.exe|699e7ae138a98a36\LowerCaseLongPathc:\program files\git\usr\bin\chroot.exe 13241300x800000000000000061984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.274{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\BinProductVersion(Empty) 13241300x800000000000000061983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.274{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\LinkDate01/01/1970 00:00:00 13241300x800000000000000061982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.274{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\Publisher(Empty) 13241300x800000000000000061981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.274{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chown.exe|6e51d9aedefdf80f\LowerCaseLongPathc:\program files\git\usr\bin\chown.exe 13241300x800000000000000061980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.274{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\BinProductVersion(Empty) 13241300x800000000000000061979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.274{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\LinkDate01/01/1970 00:00:00 13241300x800000000000000061978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.273{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\Publisher(Empty) 13241300x800000000000000061977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.273{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chmod.exe|e3ddbff0fcd6c5e6\LowerCaseLongPathc:\program files\git\usr\bin\chmod.exe 13241300x800000000000000061976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.273{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\BinProductVersion(Empty) 13241300x800000000000000061975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.273{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\LinkDate01/01/1970 00:00:00 13241300x800000000000000061974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.273{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\Publisher(Empty) 13241300x800000000000000061973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.273{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chgrp.exe|bb039b4cd0c6f545\LowerCaseLongPathc:\program files\git\usr\bin\chgrp.exe 13241300x800000000000000061972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.273{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\BinProductVersion(Empty) 13241300x800000000000000061971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.273{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\LinkDate01/01/1970 00:00:00 13241300x800000000000000061970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.273{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\Publisher(Empty) 13241300x800000000000000061969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.273{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chcon.exe|8f0fac908d5773b6\LowerCaseLongPathc:\program files\git\usr\bin\chcon.exe 13241300x800000000000000061968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.272{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\BinProductVersion(Empty) 13241300x800000000000000061967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.272{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\LinkDate03/26/2021 22:24:39 13241300x800000000000000061966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.272{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\Publisher(Empty) 13241300x800000000000000061965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.271{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\chattr.exe|29db3d1af543269b\LowerCaseLongPathc:\program files\git\usr\bin\chattr.exe 354300x800000000000000028914Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:15.039{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028913Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:16.078{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710AE755605EEFCEFB13D0CFD0A2EEF3,SHA256=821A76882A8D50C85A2D00A4D814D60D9FF4BFE1753F58116E03B1EDAFDAC77F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000061964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.271{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\BinProductVersion(Empty) 13241300x800000000000000061963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.271{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\LinkDate01/01/1970 00:00:00 13241300x800000000000000061962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.271{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\Publisher(Empty) 13241300x800000000000000061961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.271{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cat.exe|c9bdbcd78462df5e\LowerCaseLongPathc:\program files\git\usr\bin\cat.exe 13241300x800000000000000061960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.271{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\BinProductVersion(Empty) 13241300x800000000000000061959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.271{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\LinkDate01/01/1970 00:00:00 13241300x800000000000000061958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.271{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\Publisher(Empty) 13241300x800000000000000061957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.271{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\captoinfo.exe|ae170334068304db\LowerCaseLongPathc:\program files\git\usr\bin\captoinfo.exe 13241300x800000000000000061956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.270{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\BinProductVersion(Empty) 13241300x800000000000000061955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.270{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\LinkDate01/01/1970 00:00:00 13241300x800000000000000061954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.270{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\Publisher(Empty) 13241300x800000000000000061953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.270{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2recover.exe|7b4916700fd7fa54\LowerCaseLongPathc:\program files\git\mingw64\bin\bzip2recover.exe 13241300x800000000000000061952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.270{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\BinProductVersion(Empty) 13241300x800000000000000061951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.270{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\LinkDate01/01/1970 00:00:00 13241300x800000000000000061950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.270{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\Publisher(Empty) 13241300x800000000000000061949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.270{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2recover.exe|6fb043bab87a8c4c\LowerCaseLongPathc:\program files\git\usr\bin\bzip2recover.exe 13241300x800000000000000061948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.270{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\BinProductVersion(Empty) 13241300x800000000000000061947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.270{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\LinkDate01/01/1970 00:00:00 13241300x800000000000000061946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.269{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\Publisher(Empty) 13241300x800000000000000061945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.269{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2.exe|cecf80293919b675\LowerCaseLongPathc:\program files\git\mingw64\bin\bzip2.exe 13241300x800000000000000061944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.269{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\BinProductVersion(Empty) 13241300x800000000000000061943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.269{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\LinkDate01/01/1970 00:00:00 13241300x800000000000000061942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.269{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\Publisher(Empty) 13241300x800000000000000061941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.269{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzip2.exe|6e87155dac2f4c04\LowerCaseLongPathc:\program files\git\usr\bin\bzip2.exe 13241300x800000000000000061940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.269{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\BinProductVersion(Empty) 13241300x800000000000000061939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.269{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\LinkDate01/01/1970 00:00:00 13241300x800000000000000061938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.269{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\Publisher(Empty) 13241300x800000000000000061937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.269{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzcat.exe|5bd95ec17b3dd431\LowerCaseLongPathc:\program files\git\usr\bin\bzcat.exe 13241300x800000000000000061936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.268{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\BinProductVersion(Empty) 13241300x800000000000000061935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.268{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\LinkDate01/01/1970 00:00:00 13241300x800000000000000061934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.268{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\Publisher(Empty) 13241300x800000000000000061933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.268{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bzcat.exe|22efe6404fe377ef\LowerCaseLongPathc:\program files\git\mingw64\bin\bzcat.exe 13241300x800000000000000061932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.268{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\BinProductVersion(Empty) 13241300x800000000000000061931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.268{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\LinkDate01/01/1970 00:00:00 13241300x800000000000000061930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.268{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\Publisher(Empty) 13241300x800000000000000061929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.268{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bunzip2.exe|e3db3453bc608648\LowerCaseLongPathc:\program files\git\mingw64\bin\bunzip2.exe 13241300x800000000000000061928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.267{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\BinProductVersion(Empty) 13241300x800000000000000061927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.267{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\LinkDate01/01/1970 00:00:00 13241300x800000000000000061926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.267{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\Publisher(Empty) 13241300x800000000000000061925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.267{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bunzip2.exe|9ac74d590cb04f1a\LowerCaseLongPathc:\program files\git\usr\bin\bunzip2.exe 13241300x800000000000000061924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.267{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\BinProductVersion(Empty) 13241300x800000000000000061923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.267{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\LinkDate01/01/1970 00:00:00 13241300x800000000000000061922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.267{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\Publisher(Empty) 13241300x800000000000000061921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.267{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\brotli.exe|31204f639af895eb\LowerCaseLongPathc:\program files\git\mingw64\bin\brotli.exe 13241300x800000000000000061920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.267{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\BinProductVersion(Empty) 13241300x800000000000000061919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.267{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\LinkDate01/01/1970 00:00:00 13241300x800000000000000061918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.266{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\Publisher(Empty) 13241300x800000000000000061917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.266{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\blocked-file-uti|26a5d90fb1352887\LowerCaseLongPathc:\program files\git\mingw64\bin\blocked-file-util.exe 13241300x800000000000000061916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.266{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\BinProductVersion2.32.0.2 13241300x800000000000000061915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.266{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\LinkDate07/06/2021 19:01:05 13241300x800000000000000061914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.266{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\Publisherthe git development community 13241300x800000000000000061913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.266{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bash.exe|82493e8a87323f44\LowerCaseLongPathc:\program files\git\bin\bash.exe 13241300x800000000000000061912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.266{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\BinProductVersion(Empty) 13241300x800000000000000061911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.266{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\LinkDate12/04/2018 10:21:15 13241300x800000000000000061910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.266{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\Publisher(Empty) 13241300x800000000000000061909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.266{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\bash.exe|5f326cb536e85740\LowerCaseLongPathc:\program files\git\usr\bin\bash.exe 13241300x800000000000000061908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.265{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\BinProductVersion(Empty) 13241300x800000000000000061907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.265{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\LinkDate01/01/1970 00:00:00 13241300x800000000000000061906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.265{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\Publisher(Empty) 13241300x800000000000000061905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.265{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\basenc.exe|441974f40d711257\LowerCaseLongPathc:\program files\git\usr\bin\basenc.exe 13241300x800000000000000061904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.265{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\BinProductVersion(Empty) 13241300x800000000000000061903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.265{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\LinkDate01/01/1970 00:00:00 13241300x800000000000000061902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.265{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\Publisher(Empty) 13241300x800000000000000061901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.265{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\basename.exe|47ada093d5bb600a\LowerCaseLongPathc:\program files\git\usr\bin\basename.exe 13241300x800000000000000061900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\BinProductVersion(Empty) 13241300x800000000000000061899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\LinkDate01/01/1970 00:00:00 13241300x800000000000000061898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\Publisher(Empty) 13241300x800000000000000061897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\base64.exe|962b95c6244d4b06\LowerCaseLongPathc:\program files\git\usr\bin\base64.exe 13241300x800000000000000061896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\BinProductVersion(Empty) 13241300x800000000000000061895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\LinkDate01/01/1970 00:00:00 13241300x800000000000000061894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\Publisher(Empty) 13241300x800000000000000061893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\base32.exe|a314ab833a8613c9\LowerCaseLongPathc:\program files\git\usr\bin\base32.exe 13241300x800000000000000061892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\BinProductVersion(Empty) 13241300x800000000000000061891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\LinkDate01/01/1970 00:00:00 13241300x800000000000000061890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.264{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\Publisher(Empty) 13241300x800000000000000061889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.263{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\b2sum.exe|29b37ad7ebd1394a\LowerCaseLongPathc:\program files\git\usr\bin\b2sum.exe 13241300x800000000000000061888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.263{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\BinProductVersion(Empty) 13241300x800000000000000061887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.263{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\LinkDate01/01/1970 00:00:00 13241300x800000000000000061886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.263{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\Publisher(Empty) 13241300x800000000000000061885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.263{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\awk.exe|283395e55c831d1d\LowerCaseLongPathc:\program files\git\usr\bin\awk.exe 13241300x800000000000000061884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.263{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\BinProductVersion2.0.475.0 13241300x800000000000000061883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.263{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\LinkDate07/14/2093 03:17:24 13241300x800000000000000061882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.263{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\Publisheratlassian.bitbucket.ui 13241300x800000000000000061881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.263{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\atlassian.bitbuc|c03cc9e8c801d513\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\atlassian.bitbucket.ui.exe 13241300x800000000000000061880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\BinProductVersion(Empty) 13241300x800000000000000061879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\LinkDate01/01/1970 00:00:00 13241300x800000000000000061878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\Publisher(Empty) 13241300x800000000000000061877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\arch.exe|6cd29c8ee920e833\LowerCaseLongPathc:\program files\git\usr\bin\arch.exe 13241300x800000000000000061876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\BinProductVersion(Empty) 13241300x800000000000000061875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\LinkDate01/01/1970 00:00:00 13241300x800000000000000061874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\Publisher(Empty) 13241300x800000000000000061873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\antiword.exe|f9989c5a06cca46c\LowerCaseLongPathc:\program files\git\mingw64\bin\antiword.exe 13241300x800000000000000061872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\BinProductVersion(Empty) 13241300x800000000000000061871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\LinkDate01/01/1970 00:00:00 13241300x800000000000000061870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.262{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\Publisher(Empty) 13241300x800000000000000061869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.261{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ahost.exe|40c7db6e62088170\LowerCaseLongPathc:\program files\git\mingw64\bin\ahost.exe 13241300x800000000000000061868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.261{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\BinProductVersion(Empty) 13241300x800000000000000061867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.261{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\LinkDate01/01/1970 00:00:00 13241300x800000000000000061866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.261{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\Publisher(Empty) 13241300x800000000000000061865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.261{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\adig.exe|8c2dc2d7e3156644\LowerCaseLongPathc:\program files\git\mingw64\bin\adig.exe 13241300x800000000000000061864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.261{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\BinProductVersion(Empty) 13241300x800000000000000061863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.261{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\LinkDate01/01/1970 00:00:00 13241300x800000000000000061862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.261{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\Publisher(Empty) 13241300x800000000000000061861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.261{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\acountry.exe|45550c852fce5231\LowerCaseLongPathc:\program files\git\mingw64\bin\acountry.exe 13241300x800000000000000061860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.260{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\BinProductVersion(Empty) 13241300x800000000000000061859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.260{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\LinkDate01/01/1970 00:00:00 13241300x800000000000000061858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.260{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\Publisher(Empty) 13241300x800000000000000061857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.260{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\[.exe|b6eac39997c90239\LowerCaseLongPathc:\program files\git\usr\bin\[.exe 13241300x800000000000000061856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.258{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00004269cd4ee2955456871b1b37ff6239450000ffff\PublisherThe Git Development Community 23542300x800000000000000061855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.230{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7D5B42164C32C7DA469E1FD8A8EE00,SHA256=2FEF38C9C07A735A878E98AE29DB6E50491DF057CF4B6EA78E7F7B2D98788888,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000063157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.405{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\LowerCaseLongPathc:\program files\git\usr\bin\mkgroup.exe 13241300x800000000000000063156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.405{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\BinProductVersion(Empty) 13241300x800000000000000063155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.405{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\LinkDate01/01/1970 00:00:00 13241300x800000000000000063154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.405{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\Publisher(Empty) 13241300x800000000000000063153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.405{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkfifo.exe|1676140672f1cfe0\LowerCaseLongPathc:\program files\git\usr\bin\mkfifo.exe 13241300x800000000000000063152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.405{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\BinProductVersion(Empty) 13241300x800000000000000063151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.405{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\LinkDate01/01/1970 00:00:00 13241300x800000000000000063150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.404{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\Publisher(Empty) 13241300x800000000000000063149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.404{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkdir.exe|d166f5452ec8d3f1\LowerCaseLongPathc:\program files\git\usr\bin\mkdir.exe 13241300x800000000000000063148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.404{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\BinProductVersion0.0.0.0 13241300x800000000000000063147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.404{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\LinkDate01/01/1970 00:00:00 13241300x800000000000000063146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.404{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\Publisherandy koppe / thomas wolff 13241300x800000000000000063145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.404{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mintty.exe|49e751352c5fb46d\LowerCaseLongPathc:\program files\git\usr\bin\mintty.exe 13241300x800000000000000063144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.404{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\BinProductVersion(Empty) 13241300x800000000000000063143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.404{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\LinkDate03/26/2021 22:24:40 13241300x800000000000000063142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.404{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\Publisher(Empty) 13241300x800000000000000063141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.403{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\minidumper.exe|54796dc6e15198fd\LowerCaseLongPathc:\program files\git\usr\bin\minidumper.exe 13241300x800000000000000063140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.403{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\BinProductVersion(Empty) 13241300x800000000000000063139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.403{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\LinkDate01/01/1970 00:00:00 13241300x800000000000000063138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.403{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\Publisher(Empty) 13241300x800000000000000063137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.403{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\md5sum.exe|24d7cfd4f0a567ad\LowerCaseLongPathc:\program files\git\usr\bin\md5sum.exe 13241300x800000000000000063136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.403{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\BinProductVersion(Empty) 13241300x800000000000000063135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.403{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\LinkDate01/01/1970 00:00:00 13241300x800000000000000063134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.403{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\Publisher(Empty) 13241300x800000000000000063133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.403{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mac2unix.exe|fa8c232fc2ace248\LowerCaseLongPathc:\program files\git\usr\bin\mac2unix.exe 13241300x800000000000000063132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.402{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\BinProductVersion5.2.5.0 13241300x800000000000000063131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.402{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\LinkDate01/01/1970 00:00:00 13241300x800000000000000063130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.402{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000063129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.402{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lzmainfo.exe|3070267691718925\LowerCaseLongPathc:\program files\git\mingw64\bin\lzmainfo.exe 13241300x800000000000000063128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.402{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\BinProductVersion5.2.5.0 13241300x800000000000000063127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.402{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.402{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000063125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.402{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lzmadec.exe|d4a4f5d09de2ad9f\LowerCaseLongPathc:\program files\git\mingw64\bin\lzmadec.exe 13241300x800000000000000063124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.402{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\BinProductVersion(Empty) 13241300x800000000000000063123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.402{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\LinkDate03/26/2021 22:24:39 13241300x800000000000000063122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.401{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\Publisher(Empty) 13241300x800000000000000063121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.401{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lsattr.exe|e9598ad07d9f1abe\LowerCaseLongPathc:\program files\git\usr\bin\lsattr.exe 13241300x800000000000000063120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.401{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\BinProductVersion(Empty) 13241300x800000000000000063119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.401{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\LinkDate01/01/1970 00:00:00 13241300x800000000000000063118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.401{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\Publisher(Empty) 13241300x800000000000000063117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.401{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ls.exe|dfaab3a81c3b31c6\LowerCaseLongPathc:\program files\git\usr\bin\ls.exe 13241300x800000000000000063116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.401{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\BinProductVersion(Empty) 13241300x800000000000000063115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.401{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\LinkDate01/01/1970 00:00:00 13241300x800000000000000063114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.401{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\Publisher(Empty) 13241300x800000000000000063113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.401{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\logname.exe|12359a62b40825c8\LowerCaseLongPathc:\program files\git\usr\bin\logname.exe 13241300x800000000000000063112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.400{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\BinProductVersion(Empty) 13241300x800000000000000063111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.400{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\LinkDate01/01/1970 00:00:00 13241300x800000000000000063110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.400{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\Publisher(Empty) 13241300x800000000000000063109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.400{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\locate.exe|62a0c84839d4a077\LowerCaseLongPathc:\program files\git\usr\bin\locate.exe 13241300x800000000000000063108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.400{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\BinProductVersion(Empty) 13241300x800000000000000063107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.400{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\LinkDate03/26/2021 22:24:39 13241300x800000000000000063106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.400{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\Publisher(Empty) 13241300x800000000000000063105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.400{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\locale.exe|5d75359b8fae4864\LowerCaseLongPathc:\program files\git\usr\bin\locale.exe 13241300x800000000000000063104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.399{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\BinProductVersion(Empty) 13241300x800000000000000063103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.399{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\LinkDate01/01/1970 00:00:00 13241300x800000000000000063102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.399{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\Publisher(Empty) 13241300x800000000000000063101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.399{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ln.exe|79dda9f517ff22bc\LowerCaseLongPathc:\program files\git\usr\bin\ln.exe 13241300x800000000000000063100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.399{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\BinProductVersion(Empty) 13241300x800000000000000063099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.399{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\LinkDate01/01/1970 00:00:00 13241300x800000000000000063098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.399{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\Publisher(Empty) 13241300x800000000000000063097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.399{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\link.exe|293c50e422886ac8\LowerCaseLongPathc:\program files\git\usr\bin\link.exe 10341000x800000000000000063096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.399{43EB4363-37A5-60F5-0B00-00000000E501}6242776C:\Windows\system32\lsass.exe{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000063095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.398{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\BinProductVersion(Empty) 10341000x800000000000000063094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.398{43EB4363-37A5-60F5-0B00-00000000E501}6242776C:\Windows\system32\lsass.exe{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000063093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.398{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\LinkDate01/01/1970 00:00:00 13241300x800000000000000063092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.398{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\Publisher(Empty) 13241300x800000000000000063091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.398{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lesskey.exe|6d817558b9a5216\LowerCaseLongPathc:\program files\git\usr\bin\lesskey.exe 13241300x800000000000000063090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.398{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\BinProductVersion(Empty) 13241300x800000000000000063089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.398{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.398{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\Publisher(Empty) 13241300x800000000000000063087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.398{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lessecho.exe|3b7a4aa7df4af94e\LowerCaseLongPathc:\program files\git\usr\bin\lessecho.exe 13241300x800000000000000063086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.398{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\BinProductVersion(Empty) 13241300x800000000000000063085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.398{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\LinkDate01/01/1970 00:00:00 13241300x800000000000000063084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.397{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\Publisher(Empty) 13241300x800000000000000063083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.397{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\less.exe|a02ef69e95f97e25\LowerCaseLongPathc:\program files\git\usr\bin\less.exe 13241300x800000000000000063082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.397{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\BinProductVersion(Empty) 13241300x800000000000000063081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.397{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\LinkDate03/26/2021 22:24:41 13241300x800000000000000063080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.397{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\Publisher(Empty) 13241300x800000000000000063079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.397{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ldh.exe|da4d63a2fca071c0\LowerCaseLongPathc:\program files\git\usr\bin\ldh.exe 13241300x800000000000000063078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.397{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\BinProductVersion(Empty) 13241300x800000000000000063077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.397{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\LinkDate03/26/2021 22:24:39 13241300x800000000000000063076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.397{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\Publisher(Empty) 13241300x800000000000000063075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.396{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ldd.exe|15068ec08ef3ecfc\LowerCaseLongPathc:\program files\git\usr\bin\ldd.exe 13241300x800000000000000063074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.396{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\BinProductVersion(Empty) 13241300x800000000000000063073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.396{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\LinkDate03/26/2021 22:24:39 13241300x800000000000000063072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.396{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\Publisher(Empty) 13241300x800000000000000063071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.396{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\kill.exe|4bade27621c021e4\LowerCaseLongPathc:\program files\git\usr\bin\kill.exe 13241300x800000000000000063070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.396{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\BinProductVersion(Empty) 13241300x800000000000000063069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.396{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\LinkDate01/01/1970 00:00:00 13241300x800000000000000063068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.396{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\Publisher(Empty) 13241300x800000000000000063067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.396{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\kbxutil.exe|1308e71e0c8d3207\LowerCaseLongPathc:\program files\git\usr\bin\kbxutil.exe 13241300x800000000000000063066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\BinProductVersion(Empty) 13241300x800000000000000063065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\Publisher(Empty) 13241300x800000000000000063063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\join.exe|dc913e518f010b9e\LowerCaseLongPathc:\program files\git\usr\bin\join.exe 13241300x800000000000000063062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\BinProductVersion(Empty) 13241300x800000000000000063061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\LinkDate01/01/1970 00:00:00 13241300x800000000000000063060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\Publisher(Empty) 13241300x800000000000000063059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\install.exe|6fbae492ae887311\LowerCaseLongPathc:\program files\git\usr\bin\install.exe 13241300x800000000000000063058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\BinProductVersion(Empty) 13241300x800000000000000063057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\LinkDate01/01/1970 00:00:00 13241300x800000000000000063056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\Publisher(Empty) 13241300x800000000000000063055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.395{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\infotocap.exe|b30daf4370dfb24c\LowerCaseLongPathc:\program files\git\usr\bin\infotocap.exe 13241300x800000000000000063054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.394{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\BinProductVersion(Empty) 13241300x800000000000000063053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.394{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\LinkDate01/01/1970 00:00:00 13241300x800000000000000063052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.394{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\Publisher(Empty) 13241300x800000000000000063051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.394{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\infocmp.exe|bf56519423b7f5b4\LowerCaseLongPathc:\program files\git\usr\bin\infocmp.exe 13241300x800000000000000063050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.394{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\BinProductVersion(Empty) 13241300x800000000000000063049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.394{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\LinkDate01/01/1970 00:00:00 13241300x800000000000000063048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.394{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\Publisher(Empty) 13241300x800000000000000063047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.394{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\id.exe|58d5aeed1760e581\LowerCaseLongPathc:\program files\git\usr\bin\id.exe 13241300x800000000000000063046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.393{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\BinProductVersion(Empty) 13241300x800000000000000063045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.393{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\LinkDate01/01/1970 00:00:00 13241300x800000000000000063044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.393{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\Publisher(Empty) 13241300x800000000000000063043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.393{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\iconv.exe|aa01f87ce2558a5a\LowerCaseLongPathc:\program files\git\usr\bin\iconv.exe 13241300x800000000000000063042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.393{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\BinProductVersion(Empty) 13241300x800000000000000063041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.393{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\LinkDate01/01/1970 00:00:00 13241300x800000000000000063040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.393{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\Publisher(Empty) 13241300x800000000000000063039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.393{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostname.exe|87d3101f283dd346\LowerCaseLongPathc:\program files\git\usr\bin\hostname.exe 13241300x800000000000000063038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.392{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\BinProductVersion(Empty) 13241300x800000000000000063037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.392{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\LinkDate06/19/2025 15:30:53 13241300x800000000000000063036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.392{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\Publisher(Empty) 13241300x800000000000000063035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.392{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostname.exe|810b252b242085fc\LowerCaseLongPathc:\program files\git\usr\lib\gettext\hostname.exe 13241300x800000000000000063034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.392{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\BinProductVersion(Empty) 13241300x800000000000000063033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.392{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\LinkDate01/01/1970 00:00:00 13241300x800000000000000063032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.392{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\Publisher(Empty) 13241300x800000000000000063031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.392{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hostid.exe|6d4143f0897c8d41\LowerCaseLongPathc:\program files\git\usr\bin\hostid.exe 13241300x800000000000000063030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.392{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\BinProductVersion(Empty) 13241300x800000000000000063029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.392{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\LinkDate01/01/1970 00:00:00 13241300x800000000000000063028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.391{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\Publisher(Empty) 13241300x800000000000000063027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.391{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\hmac256.exe|32958ea17350316\LowerCaseLongPathc:\program files\git\usr\bin\hmac256.exe 13241300x800000000000000063026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.391{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\BinProductVersion2.32.0.2 13241300x800000000000000063025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.391{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\LinkDate07/06/2021 19:08:55 13241300x800000000000000063024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.391{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\Publisherthe git development community 13241300x800000000000000063023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.391{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\headless-git.exe|785e29ace5e8bd40\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\headless-git.exe 13241300x800000000000000063022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.391{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\BinProductVersion(Empty) 13241300x800000000000000063021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.391{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\LinkDate01/01/1970 00:00:00 13241300x800000000000000063020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.391{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\Publisher(Empty) 13241300x800000000000000063019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\head.exe|fc7ddc9982db949a\LowerCaseLongPathc:\program files\git\usr\bin\head.exe 13241300x800000000000000063018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\BinProductVersion(Empty) 13241300x800000000000000063017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\LinkDate01/01/1970 00:00:00 13241300x800000000000000063016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\Publisher(Empty) 13241300x800000000000000063015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gzip.exe|5579843dbc752d44\LowerCaseLongPathc:\program files\git\usr\bin\gzip.exe 13241300x800000000000000063014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\BinProductVersion(Empty) 13241300x800000000000000063013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\Publisher(Empty) 13241300x800000000000000063011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gsettings.exe|4246bb34aefdd57f\LowerCaseLongPathc:\program files\git\usr\bin\gsettings.exe 13241300x800000000000000063010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\BinProductVersion(Empty) 13241300x800000000000000063009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\LinkDate01/01/1970 00:00:00 13241300x800000000000000063008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.390{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\Publisher(Empty) 13241300x800000000000000063007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\groups.exe|2cd133bd6998e5fb\LowerCaseLongPathc:\program files\git\usr\bin\groups.exe 13241300x800000000000000063006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\BinProductVersion(Empty) 13241300x800000000000000063005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\Publisher(Empty) 13241300x800000000000000063003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grep.exe|e40de301f2861b6e\LowerCaseLongPathc:\program files\git\usr\bin\grep.exe 13241300x800000000000000063002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\BinProductVersion(Empty) 13241300x800000000000000063001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\Publisher(Empty) 13241300x800000000000000062999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grcat.exe|dafb27ccdda3446f\LowerCaseLongPathc:\program files\git\usr\lib\awk\grcat.exe 13241300x800000000000000062998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\BinProductVersion(Empty) 13241300x800000000000000062997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.389{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\LinkDate01/01/1970 00:00:00 13241300x800000000000000062996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.388{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\Publisher(Empty) 13241300x800000000000000062995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.388{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgv.exe|3e8076918b3dc637\LowerCaseLongPathc:\program files\git\usr\bin\gpgv.exe 13241300x800000000000000062994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.388{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\BinProductVersion(Empty) 13241300x800000000000000062993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.388{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\LinkDate01/01/1970 00:00:00 13241300x800000000000000062992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.388{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\Publisher(Empty) 13241300x800000000000000062991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.388{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgtar.exe|83e2bc192363db05\LowerCaseLongPathc:\program files\git\usr\bin\gpgtar.exe 13241300x800000000000000062990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.388{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\BinProductVersion(Empty) 13241300x800000000000000062989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.388{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\LinkDate01/01/1970 00:00:00 13241300x800000000000000062988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.388{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\Publisher(Empty) 13241300x800000000000000062987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.388{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgsplit.exe|87bafc2530c840f0\LowerCaseLongPathc:\program files\git\usr\bin\gpgsplit.exe 13241300x800000000000000062986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.387{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\BinProductVersion(Empty) 13241300x800000000000000062985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.387{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\LinkDate01/01/1970 00:00:00 13241300x800000000000000062984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.387{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\Publisher(Empty) 13241300x800000000000000062983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.387{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgsm.exe|c489439d65554f2c\LowerCaseLongPathc:\program files\git\usr\bin\gpgsm.exe 13241300x800000000000000062982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.387{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\BinProductVersion(Empty) 13241300x800000000000000062981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.387{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\LinkDate01/01/1970 00:00:00 13241300x800000000000000062980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.387{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\Publisher(Empty) 13241300x800000000000000062979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.387{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgscm.exe|afd870348aad8e2b\LowerCaseLongPathc:\program files\git\usr\bin\gpgscm.exe 13241300x800000000000000062978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.387{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\BinProductVersion(Empty) 13241300x800000000000000062977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.387{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\LinkDate01/01/1970 00:00:00 13241300x800000000000000062976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.386{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\Publisher(Empty) 13241300x800000000000000062975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.386{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgparsemail.exe|a1d04daf32233825\LowerCaseLongPathc:\program files\git\usr\bin\gpgparsemail.exe 10341000x800000000000000062974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.386{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BC-60F5-EF0A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000062973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.386{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\BinProductVersion(Empty) 13241300x800000000000000062972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.386{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\LinkDate01/01/1970 00:00:00 13241300x800000000000000062971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.386{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\Publisher(Empty) 13241300x800000000000000062970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.386{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpgconf.exe|871b799717455ba3\LowerCaseLongPathc:\program files\git\usr\bin\gpgconf.exe 13241300x800000000000000062969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.386{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\BinProductVersion(Empty) 13241300x800000000000000062968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.386{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\LinkDate01/01/1970 00:00:00 13241300x800000000000000062967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.386{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\Publisher(Empty) 13241300x800000000000000062966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.385{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg.exe|6cedb1e2633436b0\LowerCaseLongPathc:\program files\git\usr\bin\gpg.exe 13241300x800000000000000062965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.385{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\BinProductVersion(Empty) 13241300x800000000000000062964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.385{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\LinkDate01/01/1970 00:00:00 13241300x800000000000000062963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.385{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\Publisher(Empty) 13241300x800000000000000062962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.385{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-wks-server.e|61034539dd4597ca\LowerCaseLongPathc:\program files\git\usr\bin\gpg-wks-server.exe 13241300x800000000000000062961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.385{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\BinProductVersion(Empty) 13241300x800000000000000062960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.385{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\LinkDate01/01/1970 00:00:00 13241300x800000000000000062959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.385{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\Publisher(Empty) 354300x800000000000000062958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.329{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65121-false13.107.6.158bingforbusiness.com443https 354300x800000000000000062957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.005{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000062956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.201{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65119-false93.184.220.29-80http 354300x800000000000000062955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:15.081{43EB4363-5649-60F5-C808-00000000E501}4308C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65118-false52.170.57.27-443https 13241300x800000000000000062954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.385{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-wks-client.e|2e2d230f1afcaaed\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-wks-client.exe 13241300x800000000000000062953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.384{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\BinProductVersion(Empty) 13241300x800000000000000062952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.384{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\LinkDate01/01/1970 00:00:00 13241300x800000000000000062951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.384{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\Publisher(Empty) 13241300x800000000000000062950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.384{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-protect-tool|5c31ebeff73373e2\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-protect-tool.exe 13241300x800000000000000062949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.384{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\BinProductVersion(Empty) 13241300x800000000000000062948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.384{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\LinkDate01/01/1970 00:00:00 13241300x800000000000000062947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.384{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\Publisher(Empty) 13241300x800000000000000062946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.384{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-preset-passp|fd30c53215b384cf\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-preset-passphrase.exe 13241300x800000000000000062945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.384{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\BinProductVersion(Empty) 13241300x800000000000000062944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.384{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\LinkDate01/01/1970 00:00:00 13241300x800000000000000062943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.383{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\Publisher(Empty) 13241300x800000000000000062942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.383{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-error.exe|5a340ac79026d48f\LowerCaseLongPathc:\program files\git\usr\bin\gpg-error.exe 13241300x800000000000000062941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.383{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\BinProductVersion(Empty) 13241300x800000000000000062940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.383{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\LinkDate01/01/1970 00:00:00 13241300x800000000000000062939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.383{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\Publisher(Empty) 13241300x800000000000000062938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.383{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-connect-agen|faaecb1ec9697c58\LowerCaseLongPathc:\program files\git\usr\bin\gpg-connect-agent.exe 13241300x800000000000000062937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.383{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\BinProductVersion(Empty) 13241300x800000000000000062936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.383{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\LinkDate01/01/1970 00:00:00 13241300x800000000000000062935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.383{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\Publisher(Empty) 13241300x800000000000000062934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.383{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-check-patter|e2542f724e45af1f\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\gpg-check-pattern.exe 13241300x800000000000000062933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.382{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\BinProductVersion(Empty) 13241300x800000000000000062932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.382{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\LinkDate01/01/1970 00:00:00 13241300x800000000000000062931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.382{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\Publisher(Empty) 13241300x800000000000000062930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.382{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gpg-agent.exe|a7286887843abc16\LowerCaseLongPathc:\program files\git\usr\bin\gpg-agent.exe 13241300x800000000000000062929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.382{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\BinProductVersion(Empty) 13241300x800000000000000062928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.382{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\LinkDate01/01/1970 00:00:00 13241300x800000000000000062927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.382{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\Publisher(Empty) 13241300x800000000000000062926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.382{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gobject-query.ex|134cc30a240ef385\LowerCaseLongPathc:\program files\git\usr\bin\gobject-query.exe 13241300x800000000000000062925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.381{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\BinProductVersion(Empty) 13241300x800000000000000062924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.381{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\LinkDate01/01/1970 00:00:00 13241300x800000000000000062923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.381{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\Publisher(Empty) 13241300x800000000000000062922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.381{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\glib-compile-sch|5f50bc4882f3c325\LowerCaseLongPathc:\program files\git\usr\bin\glib-compile-schemas.exe 13241300x800000000000000062921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.381{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\BinProductVersion(Empty) 13241300x800000000000000062920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.381{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\LinkDate01/01/1970 00:00:00 13241300x800000000000000062919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.381{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\Publisher(Empty) 13241300x800000000000000062918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.381{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gkill.exe|16f69740130f5810\LowerCaseLongPathc:\program files\git\usr\bin\gkill.exe 13241300x800000000000000062917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.381{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\BinProductVersion2.32.0.2 13241300x800000000000000062916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.381{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\LinkDate07/06/2021 19:01:05 13241300x800000000000000062915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.380{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\Publisherthe git development community 13241300x800000000000000062914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.380{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gitk.exe|f586b11c21ec8a1b\LowerCaseLongPathc:\program files\git\cmd\gitk.exe 13241300x800000000000000062913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.380{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\BinProductVersion2.0.475.0 13241300x800000000000000062912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.380{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\LinkDate03/05/2038 08:55:10 13241300x800000000000000062911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.380{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\Publishergithub.ui 13241300x800000000000000062910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.380{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\github.ui.exe|1ab248feff39f24\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\github.ui.exe 13241300x800000000000000062909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.380{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\BinProductVersion1.5.0.0 13241300x800000000000000062908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.380{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\LinkDate09/05/2019 15:01:45 13241300x800000000000000062907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.380{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\Publishergithub 13241300x800000000000000062906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.379{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\github.authentic|8ce4a82757c1afc5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\github.authentication.exe 13241300x800000000000000062905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.378{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\BinProductVersion2.32.0.2 13241300x800000000000000062904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.378{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\LinkDate07/06/2021 19:09:00 13241300x800000000000000062903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.378{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\Publisherthe git development community 13241300x800000000000000062902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.378{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|f578b1fba462cbf9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git.exe 13241300x800000000000000062901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.378{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\BinProductVersion2.32.0.2 13241300x800000000000000062900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.378{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\LinkDate07/06/2021 19:01:05 13241300x800000000000000062899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.378{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\Publisherthe git development community 13241300x800000000000000062898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.378{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|ce9561cbd46d08cb\LowerCaseLongPathc:\program files\git\bin\git.exe 13241300x800000000000000062897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.377{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\BinProductVersion2.32.0.2 13241300x800000000000000062896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.377{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\LinkDate07/06/2021 19:09:00 13241300x800000000000000062895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.377{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\Publisherthe git development community 13241300x800000000000000062894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.377{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|5a45dbb5af7f9d72\LowerCaseLongPathc:\program files\git\mingw64\bin\git.exe 13241300x800000000000000062893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.377{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\BinProductVersion2.32.0.2 13241300x800000000000000062892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.377{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\LinkDate07/06/2021 19:01:05 13241300x800000000000000062891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.377{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\Publisherthe git development community 10341000x800000000000000062890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.377{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000062889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.377{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git.exe|52b02c4a618839ad\LowerCaseLongPathc:\program files\git\cmd\git.exe 13241300x800000000000000062888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.377{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\BinProductVersion2.32.0.2 13241300x800000000000000062887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.377{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\LinkDate07/06/2021 19:09:00 13241300x800000000000000062886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.376{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\Publisherthe git development community 13241300x800000000000000062885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.376{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-write-tree.e|792c1951a5d77083\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-write-tree.exe 13241300x800000000000000062884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.376{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\BinProductVersion2.32.0.2 13241300x800000000000000062883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.376{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\LinkDate07/06/2021 19:01:04 13241300x800000000000000062882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.376{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\Publisherthe git development community 13241300x800000000000000062881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.376{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-wrapper.exe|76f08d89fd716e41\LowerCaseLongPathc:\program files\git\mingw64\share\git\git-wrapper.exe 13241300x800000000000000062880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.376{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\BinProductVersion2.32.0.2 13241300x800000000000000062879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.376{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\LinkDate07/06/2021 19:09:00 13241300x800000000000000062878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.376{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\Publisherthe git development community 13241300x800000000000000062877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.376{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-worktree.exe|334239d9fbdc7a11\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-worktree.exe 13241300x800000000000000062876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.375{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\BinProductVersion2.32.0.2 13241300x800000000000000062875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.375{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\LinkDate07/06/2021 19:09:00 13241300x800000000000000062874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.375{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\Publisherthe git development community 13241300x800000000000000062873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.375{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-whatchanged.|b8fb62958eb786da\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-whatchanged.exe 13241300x800000000000000062872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.375{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\BinProductVersion2.32.0.2 13241300x800000000000000062871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.375{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\LinkDate07/06/2021 19:09:00 13241300x800000000000000062870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.375{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\Publisherthe git development community 13241300x800000000000000062869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.375{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-tag.e|d492b12e36f71329\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-tag.exe 13241300x800000000000000062868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.374{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\BinProductVersion2.32.0.2 13241300x800000000000000062867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.374{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\LinkDate07/06/2021 19:09:00 13241300x800000000000000062866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.374{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\Publisherthe git development community 13241300x800000000000000062865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.374{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-pack.|d565dfc7b34b65aa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-pack.exe 13241300x800000000000000062864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.374{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\BinProductVersion2.32.0.2 13241300x800000000000000062863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.374{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\LinkDate07/06/2021 19:09:00 13241300x800000000000000062862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.374{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\Publisherthe git development community 13241300x800000000000000062861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.374{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-verify-commi|f37a5e9bd2f4578a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-verify-commit.exe 13241300x800000000000000062860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.374{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\BinProductVersion2.32.0.2 13241300x800000000000000062859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.373{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\LinkDate07/06/2021 19:09:00 13241300x800000000000000062858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.373{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\Publisherthe git development community 13241300x800000000000000062857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.373{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-var.exe|751104bdaadb1181\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-var.exe 13241300x800000000000000062856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.373{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\BinProductVersion2.32.0.2 13241300x800000000000000062855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.373{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\LinkDate07/06/2021 19:09:00 13241300x800000000000000062854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.373{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\Publisherthe git development community 13241300x800000000000000062853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.373{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-pack.|e0593a4774ace4ad\LowerCaseLongPathc:\program files\git\mingw64\bin\git-upload-pack.exe 13241300x800000000000000062852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.372{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\BinProductVersion2.32.0.2 13241300x800000000000000062851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.372{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\LinkDate07/06/2021 19:09:00 13241300x800000000000000062850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.372{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\Publisherthe git development community 13241300x800000000000000062849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.372{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-pack.|4bc571ea2cc47819\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-upload-pack.exe 10341000x800000000000000062848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.372{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57BC-60F5-EF0A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x800000000000000062847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.372{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\BinProductVersion2.32.0.2 13241300x800000000000000062846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.372{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\LinkDate07/06/2021 19:09:00 13241300x800000000000000062845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.372{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\Publisherthe git development community 13241300x800000000000000062844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.372{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-archi|f4cda268b43d63d5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-upload-archive.exe 10341000x800000000000000062843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.372{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BC-60F5-EF0A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000062842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.372{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\BinProductVersion2.32.0.2 13241300x800000000000000062841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.372{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\LinkDate07/06/2021 19:09:00 13241300x800000000000000062840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.371{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\Publisherthe git development community 13241300x800000000000000062839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.371{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-upload-archi|970cdd550165a34b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-upload-archive.exe 13241300x800000000000000062838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.371{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\BinProductVersion2.32.0.2 13241300x800000000000000062837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.371{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\LinkDate07/06/2021 19:09:00 13241300x800000000000000062836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.371{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\Publisherthe git development community 13241300x800000000000000062835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.371{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-serve|d3496551fcee326\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-server-info.exe 13241300x800000000000000062834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.371{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\BinProductVersion2.32.0.2 13241300x800000000000000062833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.371{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\LinkDate07/06/2021 19:09:00 13241300x800000000000000062832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.370{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\Publisherthe git development community 13241300x800000000000000062831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.370{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-ref.e|636e33b932a7ad4\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-ref.exe 13241300x800000000000000062830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.370{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\BinProductVersion2.32.0.2 13241300x800000000000000062829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.370{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\LinkDate07/06/2021 19:09:00 13241300x800000000000000062828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.370{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\Publisherthe git development community 13241300x800000000000000062827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.370{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-update-index|cc5c84a1add7114d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-update-index.exe 13241300x800000000000000062826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.370{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\BinProductVersion2.32.0.2 13241300x800000000000000062825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.370{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\LinkDate07/06/2021 19:09:00 13241300x800000000000000062824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.370{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\Publisherthe git development community 13241300x800000000000000062823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.370{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-unpack-objec|93ac7618bed9528f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-unpack-objects.exe 13241300x800000000000000062822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\BinProductVersion2.32.0.2 13241300x800000000000000062821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\LinkDate07/06/2021 19:09:00 13241300x800000000000000062820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\Publisherthe git development community 13241300x800000000000000062819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-unpack-file.|7756b160cc2cfb66\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-unpack-file.exe 13241300x800000000000000062818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\BinProductVersion2.32.0.2 13241300x800000000000000062817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\LinkDate07/06/2021 19:09:00 13241300x800000000000000062816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\Publisherthe git development community 13241300x800000000000000062815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-tag.exe|7666d39e6cc8f3cc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-tag.exe 13241300x800000000000000062814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\BinProductVersion2.32.0.2 13241300x800000000000000062813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\LinkDate07/06/2021 19:09:00 13241300x800000000000000062812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.369{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\Publisherthe git development community 13241300x800000000000000062811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.368{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-symbolic-ref|ce473368350d320a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-symbolic-ref.exe 13241300x800000000000000062810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.368{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\BinProductVersion2.32.0.2 13241300x800000000000000062809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.368{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\LinkDate07/06/2021 19:09:00 13241300x800000000000000062808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.368{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\Publisherthe git development community 13241300x800000000000000062807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.368{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-switch.exe|ff6e85f065529228\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-switch.exe 13241300x800000000000000062806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.368{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\BinProductVersion2.32.0.2 13241300x800000000000000062805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.368{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\LinkDate07/06/2021 19:09:00 13241300x800000000000000062804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.368{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\Publisherthe git development community 13241300x800000000000000062803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.368{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-submodule--h|a577781a96a63623\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-submodule--helper.exe 13241300x800000000000000062802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.367{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\BinProductVersion2.32.0.2 13241300x800000000000000062801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.367{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\LinkDate07/06/2021 19:09:00 13241300x800000000000000062800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.367{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\Publisherthe git development community 13241300x800000000000000062799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.367{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stripspace.e|7f2324fbc967deaa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stripspace.exe 13241300x800000000000000062798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.367{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\BinProductVersion2.32.0.2 13241300x800000000000000062797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.367{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\LinkDate07/06/2021 19:09:00 13241300x800000000000000062796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.367{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\Publisherthe git development community 13241300x800000000000000062795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.367{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-status.exe|f379629630fb27d9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-status.exe 13241300x800000000000000062794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.366{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\BinProductVersion2.32.0.2 13241300x800000000000000062793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.366{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\LinkDate07/06/2021 19:09:00 13241300x800000000000000062792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.366{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\Publisherthe git development community 13241300x800000000000000062791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.366{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stash.exe|a40e77c71ac2aede\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stash.exe 13241300x800000000000000062790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.366{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\BinProductVersion2.32.0.2 13241300x800000000000000062789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.366{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\LinkDate07/06/2021 19:09:00 13241300x800000000000000062788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.366{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\Publisherthe git development community 13241300x800000000000000062787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.366{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-stage.exe|f500735b2eec0385\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-stage.exe 13241300x800000000000000062786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.366{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\BinProductVersion2.32.0.2 13241300x800000000000000062785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.366{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\LinkDate07/06/2021 19:09:00 13241300x800000000000000062784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.365{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\Publisherthe git development community 13241300x800000000000000062783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.365{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-sparse-check|f4825f9ae19d20b3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-sparse-checkout.exe 13241300x800000000000000062782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.365{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\BinProductVersion2.32.0.2 13241300x800000000000000062781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.365{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\LinkDate07/06/2021 19:09:00 13241300x800000000000000062780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.365{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\Publisherthe git development community 13241300x800000000000000062779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.365{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show.exe|6e9a2dd47e6867ba\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show.exe 13241300x800000000000000062778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.365{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\BinProductVersion2.32.0.2 13241300x800000000000000062777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.365{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\LinkDate07/06/2021 19:09:00 13241300x800000000000000062776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.364{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\Publisherthe git development community 13241300x800000000000000062775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.364{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-ref.exe|f7f4cf76175660d6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-ref.exe 13241300x800000000000000062774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.364{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\BinProductVersion2.32.0.2 13241300x800000000000000062773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.364{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\LinkDate07/06/2021 19:09:00 13241300x800000000000000062772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.364{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\Publisherthe git development community 13241300x800000000000000062771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.364{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-index.e|8286f2c5e311f4dd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-index.exe 13241300x800000000000000062770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.364{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\BinProductVersion2.32.0.2 13241300x800000000000000062769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.364{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\LinkDate07/06/2021 19:09:00 13241300x800000000000000062768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.364{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\Publisherthe git development community 13241300x800000000000000062767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.363{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-show-branch.|e7aa2817ea598ca5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-show-branch.exe 13241300x800000000000000062766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.363{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\BinProductVersion2.32.0.2 13241300x800000000000000062765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.363{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\LinkDate07/06/2021 19:09:00 13241300x800000000000000062764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.363{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\Publisherthe git development community 13241300x800000000000000062763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.363{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-shortlog.exe|6690a566fa773a48\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-shortlog.exe 13241300x800000000000000062762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.363{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\BinProductVersion2.32.0.2 13241300x800000000000000062761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.363{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\LinkDate07/06/2021 19:08:58 13241300x800000000000000062760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.363{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\Publisherthe git development community 13241300x800000000000000062759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.363{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-sh-i18n--env|4053f372896ace9d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-sh-i18n--envsubst.exe 13241300x800000000000000062758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.362{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\BinProductVersion2.32.0.2 13241300x800000000000000062757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.362{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\LinkDate07/06/2021 19:09:00 13241300x800000000000000062756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.362{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\Publisherthe git development community 13241300x800000000000000062755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.362{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-send-pack.ex|da651d512f55be29\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-send-pack.exe 13241300x800000000000000062754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.362{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\BinProductVersion2.32.0.2 13241300x800000000000000062753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.362{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\LinkDate07/06/2021 19:09:00 13241300x800000000000000062752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.362{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\Publisherthe git development community 13241300x800000000000000062751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.362{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rm.exe|8e86f766b6479aa7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rm.exe 13241300x800000000000000062750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.361{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\BinProductVersion2.32.0.2 13241300x800000000000000062749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.361{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\LinkDate07/06/2021 19:09:00 13241300x800000000000000062748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.361{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\Publisherthe git development community 13241300x800000000000000062747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.361{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-revert.exe|7aa27432655fad81\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-revert.exe 13241300x800000000000000062746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.361{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\BinProductVersion2.32.0.2 13241300x800000000000000062745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.361{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\LinkDate07/06/2021 19:09:00 13241300x800000000000000062744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.361{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\Publisherthe git development community 13241300x800000000000000062743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.361{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rev-parse.ex|d6a8e773756ed1d6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rev-parse.exe 13241300x800000000000000062742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.361{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\BinProductVersion2.32.0.2 13241300x800000000000000062741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.360{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\LinkDate07/06/2021 19:09:00 13241300x800000000000000062740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.360{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\Publisherthe git development community 13241300x800000000000000062739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.360{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rev-list.exe|269a9e57005af766\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rev-list.exe 13241300x800000000000000062738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.360{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\BinProductVersion2.32.0.2 13241300x800000000000000062737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.360{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\LinkDate07/06/2021 19:09:00 13241300x800000000000000062736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.360{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\Publisherthe git development community 13241300x800000000000000062735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.360{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-restore.exe|8e7fc8b24c23bae3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-restore.exe 13241300x800000000000000062734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.360{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\BinProductVersion2.32.0.2 13241300x800000000000000062733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.360{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\LinkDate07/06/2021 19:09:00 13241300x800000000000000062732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.359{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\Publisherthe git development community 13241300x800000000000000062731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.359{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-reset.exe|36c5794b3e41dd77\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-reset.exe 13241300x800000000000000062730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.359{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\BinProductVersion2.32.0.2 13241300x800000000000000062729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.359{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\LinkDate07/06/2021 19:09:00 13241300x800000000000000062728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.359{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\Publisherthe git development community 13241300x800000000000000062727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.359{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rerere.exe|fc745b45c205e431\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rerere.exe 13241300x800000000000000062726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.359{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\BinProductVersion2.32.0.2 13241300x800000000000000062725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.359{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\LinkDate07/06/2021 19:09:00 13241300x800000000000000062724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.358{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\Publisherthe git development community 13241300x800000000000000062723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.358{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-replace.exe|3cfc7710e33c88bb\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-replace.exe 13241300x800000000000000062722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.358{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\BinProductVersion2.32.0.2 13241300x800000000000000062721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.358{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\LinkDate07/06/2021 19:09:00 13241300x800000000000000062720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.358{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\Publisherthe git development community 13241300x800000000000000062719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.358{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-repack.exe|b1385c9cee9c0160\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-repack.exe 13241300x800000000000000062718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.358{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\BinProductVersion2.32.0.2 13241300x800000000000000062717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.358{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\LinkDate07/06/2021 19:09:00 13241300x800000000000000062716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.357{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\Publisherthe git development community 13241300x800000000000000062715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.357{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote.exe|2eac402aac5dd179\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote.exe 13241300x800000000000000062714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.357{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\BinProductVersion2.32.0.2 13241300x800000000000000062713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.357{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\LinkDate07/06/2021 19:08:59 13241300x800000000000000062712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.357{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\Publisherthe git development community 13241300x800000000000000062711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.357{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-https|726221edb644a582\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-https.exe 13241300x800000000000000062710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.357{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\BinProductVersion2.32.0.2 13241300x800000000000000062709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.357{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\LinkDate07/06/2021 19:08:59 13241300x800000000000000062708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.357{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\Publisherthe git development community 13241300x800000000000000062707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.356{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-http.|7c133653a586f83\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-http.exe 13241300x800000000000000062706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.356{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\BinProductVersion2.32.0.2 13241300x800000000000000062705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.356{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\LinkDate07/06/2021 19:08:59 13241300x800000000000000062704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.356{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\Publisherthe git development community 13241300x800000000000000062703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.356{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ftps.|3aad054899c73a4b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ftps.exe 13241300x800000000000000062702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.356{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\BinProductVersion2.32.0.2 13241300x800000000000000062701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.356{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\LinkDate07/06/2021 19:08:59 13241300x800000000000000062700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.356{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\Publisherthe git development community 13241300x800000000000000062699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.356{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ftp.e|a2604470889ec908\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ftp.exe 13241300x800000000000000062698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.355{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\BinProductVersion2.32.0.2 13241300x800000000000000062697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.355{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\LinkDate07/06/2021 19:09:00 13241300x800000000000000062696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.355{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\Publisherthe git development community 13241300x800000000000000062695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.355{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-fd.ex|e557f81c4381d7b0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-fd.exe 13241300x800000000000000062694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.355{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\BinProductVersion2.32.0.2 13241300x800000000000000062693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.355{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\LinkDate07/06/2021 19:09:00 13241300x800000000000000062692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.355{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\Publisherthe git development community 13241300x800000000000000062691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.355{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-remote-ext.e|bd6596e1f05a9659\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-remote-ext.exe 13241300x800000000000000062690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.354{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\BinProductVersion2.32.0.2 13241300x800000000000000062689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.354{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\LinkDate07/06/2021 19:09:00 13241300x800000000000000062688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.354{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\Publisherthe git development community 13241300x800000000000000062687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.354{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-reflog.exe|34db507846fa6f12\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-reflog.exe 13241300x800000000000000062686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.354{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\BinProductVersion2.32.0.2 13241300x800000000000000062685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.354{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\LinkDate07/06/2021 19:09:00 13241300x800000000000000062684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.354{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\Publisherthe git development community 13241300x800000000000000062683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.354{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-receive-pack|8e78e4fb26db059a\LowerCaseLongPathc:\program files\git\mingw64\bin\git-receive-pack.exe 13241300x800000000000000062682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.354{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\BinProductVersion2.32.0.2 13241300x800000000000000062681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.353{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\LinkDate07/06/2021 19:09:00 13241300x800000000000000062680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.353{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\Publisherthe git development community 13241300x800000000000000062679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.353{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-receive-pack|4bf4387fd198488d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-receive-pack.exe 13241300x800000000000000062678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.353{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\BinProductVersion2.32.0.2 13241300x800000000000000062677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.353{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\LinkDate07/06/2021 19:09:00 13241300x800000000000000062676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.353{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\Publisherthe git development community 13241300x800000000000000062675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.353{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-rebase.exe|80d1b0e35c07195b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-rebase.exe 13241300x800000000000000062674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.352{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\BinProductVersion2.32.0.2 13241300x800000000000000062673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.352{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\LinkDate07/06/2021 19:09:00 13241300x800000000000000062672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.352{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\Publisherthe git development community 13241300x800000000000000062671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.352{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-read-tree.ex|22941f40e639aef1\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-read-tree.exe 13241300x800000000000000062670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.352{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\BinProductVersion2.32.0.2 13241300x800000000000000062669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.352{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\LinkDate07/06/2021 19:09:00 13241300x800000000000000062668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.352{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\Publisherthe git development community 13241300x800000000000000062667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.352{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-range-diff.e|27a041f8d99ea5e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-range-diff.exe 13241300x800000000000000062666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.352{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\BinProductVersion2.32.0.2 13241300x800000000000000062665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.352{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\LinkDate07/06/2021 19:09:00 13241300x800000000000000062664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.351{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\Publisherthe git development community 13241300x800000000000000062663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.351{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-push.exe|6b8bbc843881b879\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-push.exe 13241300x800000000000000062662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.351{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\BinProductVersion2.32.0.2 13241300x800000000000000062661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.351{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\LinkDate07/06/2021 19:09:00 13241300x800000000000000062660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.351{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\Publisherthe git development community 13241300x800000000000000062659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.351{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pull.exe|5c528221eaacce43\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pull.exe 13241300x800000000000000062658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.351{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\BinProductVersion2.32.0.2 13241300x800000000000000062657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.351{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\LinkDate07/06/2021 19:09:00 13241300x800000000000000062656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.351{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\Publisherthe git development community 13241300x800000000000000062655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.350{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-prune.exe|8dd360f83decd04c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-prune.exe 13241300x800000000000000062654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.350{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\BinProductVersion2.32.0.2 13241300x800000000000000062653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.350{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\LinkDate07/06/2021 19:09:00 13241300x800000000000000062652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.350{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\Publisherthe git development community 13241300x800000000000000062651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.350{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-prune-packed|7ea14beb272e20eb\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-prune-packed.exe 13241300x800000000000000062650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.350{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\BinProductVersion2.32.0.2 13241300x800000000000000062649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.350{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\LinkDate07/06/2021 19:09:00 13241300x800000000000000062648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.350{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\Publisherthe git development community 13241300x800000000000000062647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.350{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-patch-id.exe|280f7dfabbed9aa0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-patch-id.exe 13241300x800000000000000062646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.349{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\BinProductVersion2.32.0.2 13241300x800000000000000062645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.349{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\LinkDate07/06/2021 19:09:00 13241300x800000000000000062644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.349{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\Publisherthe git development community 13241300x800000000000000062643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.349{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-refs.ex|a72849c27ec32acf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-refs.exe 13241300x800000000000000062642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.349{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\BinProductVersion2.32.0.2 13241300x800000000000000062641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.349{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\LinkDate07/06/2021 19:09:00 13241300x800000000000000062640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.349{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\Publisherthe git development community 13241300x800000000000000062639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.349{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-redunda|3bea7e0b47bae351\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-redundant.exe 13241300x800000000000000062638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.349{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\BinProductVersion2.32.0.2 13241300x800000000000000062637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.349{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\LinkDate07/06/2021 19:09:00 13241300x800000000000000062636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.348{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\Publisherthe git development community 13241300x800000000000000062635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.348{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-pack-objects|b6ba6e682d1328e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-pack-objects.exe 13241300x800000000000000062634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.348{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\BinProductVersion2.32.0.2 13241300x800000000000000062633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.348{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\LinkDate07/06/2021 19:09:00 13241300x800000000000000062632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.348{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\Publisherthe git development community 13241300x800000000000000062631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.348{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-notes.exe|cadb47a79807ad03\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-notes.exe 13241300x800000000000000062630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.348{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\BinProductVersion2.32.0.2 13241300x800000000000000062629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.348{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\LinkDate07/06/2021 19:09:00 13241300x800000000000000062628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.348{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\Publisherthe git development community 13241300x800000000000000062627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.347{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-name-rev.exe|7b3ad17acd0ba124\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-name-rev.exe 13241300x800000000000000062626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.347{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\BinProductVersion2.32.0.2 13241300x800000000000000062625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.347{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\LinkDate07/06/2021 19:09:00 13241300x800000000000000062624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.347{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\Publisherthe git development community 13241300x800000000000000062623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.347{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mv.exe|e80e8664561f73b6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mv.exe 13241300x800000000000000062622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.347{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\BinProductVersion2.32.0.2 13241300x800000000000000062621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.347{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\LinkDate07/06/2021 19:09:00 13241300x800000000000000062620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.347{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\Publisherthe git development community 13241300x800000000000000062619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.347{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-multi-pack-i|b0da66b3239cc0aa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-multi-pack-index.exe 13241300x800000000000000062618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.346{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\BinProductVersion2.32.0.2 13241300x800000000000000062617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.346{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\LinkDate07/06/2021 19:09:00 13241300x800000000000000062616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.346{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\Publisherthe git development community 13241300x800000000000000062615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.346{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mktree.exe|9fb15060439194e9\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mktree.exe 13241300x800000000000000062614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.346{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\BinProductVersion2.32.0.2 13241300x800000000000000062613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.346{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\LinkDate07/06/2021 19:09:00 13241300x800000000000000062612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.346{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\Publisherthe git development community 13241300x800000000000000062611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.346{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mktag.exe|f9ff9b0e12a2d151\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mktag.exe 13241300x800000000000000062610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.345{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\BinProductVersion2.32.0.2 13241300x800000000000000062609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.345{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\LinkDate07/06/2021 19:09:00 11241100x800000000000000062608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.345{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exeC:\Windows\Temp\4D7F90B8-F05F-436A-98BD-2DA9BC03BE8A.txt2021-07-19 10:45:16.345 13241300x800000000000000062607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.345{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\Publisherthe git development community 13241300x800000000000000062606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.345{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge.exe|882533b7baebdf26\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge.exe 13241300x800000000000000062605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.345{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\BinProductVersion2.32.0.2 13241300x800000000000000062604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.345{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\LinkDate07/06/2021 19:09:00 13241300x800000000000000062603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.345{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\Publisherthe git development community 13241300x800000000000000062602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.345{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-tree.e|2091c16f572d3b68\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-tree.exe 13241300x800000000000000062601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.345{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\BinProductVersion2.32.0.2 13241300x800000000000000062600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.345{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\LinkDate07/06/2021 19:09:00 13241300x800000000000000062599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.344{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\Publisherthe git development community 13241300x800000000000000062598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.344{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-subtre|334ec69ba0fedd6f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-subtree.exe 13241300x800000000000000062597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.344{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\BinProductVersion2.32.0.2 13241300x800000000000000062596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.344{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\LinkDate07/06/2021 19:09:00 13241300x800000000000000062595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.344{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\Publisherthe git development community 13241300x800000000000000062594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.344{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-recurs|5342cf57bbb67b35\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-recursive.exe 13241300x800000000000000062593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.344{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\BinProductVersion2.32.0.2 13241300x800000000000000062592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.344{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\LinkDate07/06/2021 19:09:00 13241300x800000000000000062591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.344{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\Publisherthe git development community 13241300x800000000000000062590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.343{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-ours.e|8a9c9030af4fea1\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-ours.exe 13241300x800000000000000062589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.343{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\BinProductVersion2.32.0.2 13241300x800000000000000062588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.343{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\LinkDate07/06/2021 19:09:00 13241300x800000000000000062587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.343{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\Publisherthe git development community 13241300x800000000000000062586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.343{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-index.|21be940b8e49773d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-index.exe 13241300x800000000000000062585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.343{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\BinProductVersion2.32.0.2 13241300x800000000000000062584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.343{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\LinkDate07/06/2021 19:09:00 13241300x800000000000000062583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.343{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\Publisherthe git development community 13241300x800000000000000062582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.342{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-file.e|daffc665e459523c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-file.exe 13241300x800000000000000062581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.342{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\BinProductVersion2.32.0.2 13241300x800000000000000062580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.342{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\LinkDate07/06/2021 19:09:00 13241300x800000000000000062579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.342{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\Publisherthe git development community 13241300x800000000000000062578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.342{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-merge-base.e|30dc1b69df66ab7c\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-merge-base.exe 13241300x800000000000000062577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.342{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\BinProductVersion2.32.0.2 13241300x800000000000000062576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.342{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\LinkDate07/06/2021 19:09:00 13241300x800000000000000062575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.342{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\Publisherthe git development community 13241300x800000000000000062574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.342{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-maintenance.|3bae5fb74f39ca3b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-maintenance.exe 13241300x800000000000000062573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.341{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\BinProductVersion2.32.0.2 13241300x800000000000000062572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.341{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\LinkDate07/06/2021 19:09:00 13241300x800000000000000062571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.341{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\Publisherthe git development community 13241300x800000000000000062570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.341{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mailsplit.ex|6b4c4fb0ebcb699d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mailsplit.exe 13241300x800000000000000062569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.341{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\BinProductVersion2.32.0.2 13241300x800000000000000062568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.341{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\LinkDate07/06/2021 19:09:00 13241300x800000000000000062567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.341{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\Publisherthe git development community 13241300x800000000000000062566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.341{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-mailinfo.exe|301710ecfb7896f7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-mailinfo.exe 13241300x800000000000000062565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.340{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\BinProductVersion2.32.0.2 13241300x800000000000000062564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.340{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\LinkDate07/06/2021 19:09:00 13241300x800000000000000062563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.340{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\Publisherthe git development community 13241300x800000000000000062562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.340{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-tree.exe|3da7a7da61dca8d3\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-tree.exe 13241300x800000000000000062561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.340{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\BinProductVersion2.32.0.2 13241300x800000000000000062560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.340{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\LinkDate07/06/2021 19:09:00 13241300x800000000000000062559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.340{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\Publisherthe git development community 13241300x800000000000000062558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.340{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-remote.ex|70eaf315f15c7a6d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-remote.exe 13241300x800000000000000062557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.339{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\BinProductVersion2.32.0.2 13241300x800000000000000062556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.339{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\LinkDate07/06/2021 19:09:00 13241300x800000000000000062555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.339{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\Publisherthe git development community 13241300x800000000000000062554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.339{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-ls-files.exe|1e3ad688e0cb54cf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-ls-files.exe 13241300x800000000000000062553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.339{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\BinProductVersion2.32.0.2 13241300x800000000000000062552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.339{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\LinkDate07/06/2021 19:09:00 13241300x800000000000000062551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.339{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\Publisherthe git development community 13241300x800000000000000062550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.339{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-log.exe|8e73c205e9f2f0be\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-log.exe 13241300x800000000000000062549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.339{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\BinProductVersion0.0.0.0 13241300x800000000000000062548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.338{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\LinkDate01/01/1970 00:00:00 13241300x800000000000000062547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.338{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\Publisher(Empty) 13241300x800000000000000062546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.338{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-lfs.exe|a5073c52b01e7b5b\LowerCaseLongPathc:\program files\git\mingw64\bin\git-lfs.exe 13241300x800000000000000062545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.338{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\BinProductVersion2.32.0.2 13241300x800000000000000062544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.338{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\LinkDate07/06/2021 19:01:05 13241300x800000000000000062543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.338{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\Publisherthe git development community 13241300x800000000000000062542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.338{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-lfs.exe|5a5fd3616aa3e5b5\LowerCaseLongPathc:\program files\git\cmd\git-lfs.exe 13241300x800000000000000062541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.338{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\BinProductVersion2.32.0.2 13241300x800000000000000062540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.338{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\LinkDate07/06/2021 19:09:00 13241300x800000000000000062539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.337{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\Publisherthe git development community 13241300x800000000000000062538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.337{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-interpret-tr|64a626455ecf8a98\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-interpret-trailers.exe 13241300x800000000000000062537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.337{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\BinProductVersion2.32.0.2 13241300x800000000000000062536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.337{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\LinkDate07/06/2021 19:09:00 13241300x800000000000000062535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.337{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\Publisherthe git development community 13241300x800000000000000062534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.337{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-init.exe|bfcd122907ddc590\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-init.exe 13241300x800000000000000062533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.337{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\BinProductVersion2.32.0.2 13241300x800000000000000062532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.337{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\LinkDate07/06/2021 19:09:00 13241300x800000000000000062531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.337{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\Publisherthe git development community 13241300x800000000000000062530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.336{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-init-db.exe|b6baf86f656c9cd\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-init-db.exe 13241300x800000000000000062529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.336{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\BinProductVersion2.32.0.2 13241300x800000000000000062528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.336{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\LinkDate07/06/2021 19:09:00 13241300x800000000000000062527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.336{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\Publisherthe git development community 13241300x800000000000000062526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.336{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-index-pack.e|a057507fd54823f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-index-pack.exe 13241300x800000000000000062525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.336{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\BinProductVersion2.32.0.2 13241300x800000000000000062524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.336{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\LinkDate07/06/2021 19:08:57 13241300x800000000000000062523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.336{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\Publisherthe git development community 13241300x800000000000000062522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.335{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-imap-send.ex|b89b2f1409a90d85\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-imap-send.exe 13241300x800000000000000062521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.335{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\BinProductVersion2.32.0.2 13241300x800000000000000062520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.335{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\LinkDate07/06/2021 19:08:59 13241300x800000000000000062519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.335{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\Publisherthe git development community 13241300x800000000000000062518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.335{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-push.ex|68d3cf7d040e7329\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-push.exe 13241300x800000000000000062517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.335{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\BinProductVersion2.32.0.2 13241300x800000000000000062516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.335{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\LinkDate07/06/2021 19:08:58 13241300x800000000000000062515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.335{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\Publisherthe git development community 13241300x800000000000000062514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.335{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-fetch.e|ab1d6cbc9e29e771\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-fetch.exe 13241300x800000000000000062513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.334{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\BinProductVersion2.32.0.2 13241300x800000000000000062512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.334{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\LinkDate07/06/2021 19:08:57 13241300x800000000000000062511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.334{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\Publisherthe git development community 13241300x800000000000000062510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.334{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-http-backend|bf2a9779f0e0f190\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-http-backend.exe 13241300x800000000000000062509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.334{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\BinProductVersion2.32.0.2 13241300x800000000000000062508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.334{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\LinkDate07/06/2021 19:09:00 13241300x800000000000000062507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.334{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\Publisherthe git development community 13241300x800000000000000062506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.334{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-help.exe|d3d7cc6cd9ec775b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-help.exe 13241300x800000000000000062505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.333{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\BinProductVersion2.32.0.2 13241300x800000000000000062504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.333{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\LinkDate07/06/2021 19:09:00 13241300x800000000000000062503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.333{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\Publisherthe git development community 13241300x800000000000000062502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.333{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-hash-object.|ea29aa5df7dca895\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-hash-object.exe 13241300x800000000000000062501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.333{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\BinProductVersion2.32.0.2 13241300x800000000000000062500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.333{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\LinkDate07/06/2021 19:01:05 13241300x800000000000000062499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.333{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\Publisherthe git development community 13241300x800000000000000062498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.333{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-gui.exe|d3e16d00d6d9753e\LowerCaseLongPathc:\program files\git\cmd\git-gui.exe 13241300x800000000000000062497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.332{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\BinProductVersion2.32.0.2 13241300x800000000000000062496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.332{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\LinkDate07/06/2021 19:09:00 13241300x800000000000000062495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.332{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\Publisherthe git development community 13241300x800000000000000062494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.332{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-grep.exe|ed39fb46aff75ef0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-grep.exe 13241300x800000000000000062493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.332{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\BinProductVersion2.32.0.2 13241300x800000000000000062492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.332{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\LinkDate07/06/2021 19:09:00 13241300x800000000000000062491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.332{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\Publisherthe git development community 13241300x800000000000000062490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.332{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-get-tar-comm|7f010af0ea09c9e6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-get-tar-commit-id.exe 13241300x800000000000000062489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.331{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\BinProductVersion2.32.0.2 13241300x800000000000000062488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.331{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\LinkDate07/06/2021 19:09:00 13241300x800000000000000062487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.331{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\Publisherthe git development community 13241300x800000000000000062486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.331{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-gc.exe|fdbdc98f5cb28d88\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-gc.exe 13241300x800000000000000062485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.331{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\BinProductVersion2.32.0.2 13241300x800000000000000062484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.331{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\LinkDate07/06/2021 19:09:00 13241300x800000000000000062483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.331{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\Publisherthe git development community 13241300x800000000000000062482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.331{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsmonitor--d|e5fc2f5ce2dcd18a\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsmonitor--daemon.exe 13241300x800000000000000062481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.331{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\BinProductVersion2.32.0.2 13241300x800000000000000062480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.331{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\LinkDate07/06/2021 19:09:00 13241300x800000000000000062479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.330{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\Publisherthe git development community 13241300x800000000000000062478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.330{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsck.exe|d8efbaa5b906f8b2\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsck.exe 13241300x800000000000000062477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.330{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\BinProductVersion2.32.0.2 13241300x800000000000000062476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.330{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\LinkDate07/06/2021 19:09:00 13241300x800000000000000062475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.330{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\Publisherthe git development community 13241300x800000000000000062474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.330{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fsck-objects|2121e55928d75601\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fsck-objects.exe 13241300x800000000000000062473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.330{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\BinProductVersion2.32.0.2 13241300x800000000000000062472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.330{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\LinkDate07/06/2021 19:09:00 13241300x800000000000000062471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.330{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\Publisherthe git development community 13241300x800000000000000062470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.329{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-format-patch|9e2e07188f28a95d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-format-patch.exe 13241300x800000000000000062469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.329{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\BinProductVersion2.32.0.2 13241300x800000000000000062468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.329{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\LinkDate07/06/2021 19:09:00 13241300x800000000000000062467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.329{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\Publisherthe git development community 13241300x800000000000000062466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.329{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-for-each-rep|c87afe0458a928d\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-for-each-repo.exe 13241300x800000000000000062465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.329{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\BinProductVersion2.32.0.2 13241300x800000000000000062464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.329{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\LinkDate07/06/2021 19:09:00 13241300x800000000000000062463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.329{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\Publisherthe git development community 13241300x800000000000000062462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.329{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-for-each-ref|3abb92553793f6f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-for-each-ref.exe 13241300x800000000000000062461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.328{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\BinProductVersion2.32.0.2 13241300x800000000000000062460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.328{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\LinkDate07/06/2021 19:09:00 13241300x800000000000000062459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.328{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\Publisherthe git development community 13241300x800000000000000062458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.328{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fmt-merge-ms|d963dc4ca06323fa\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fmt-merge-msg.exe 13241300x800000000000000062457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.328{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\BinProductVersion2.32.0.2 13241300x800000000000000062456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.328{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\LinkDate07/06/2021 19:09:00 13241300x800000000000000062455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.328{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\Publisherthe git development community 13241300x800000000000000062454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.328{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fetch.exe|26836f160b2136d8\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fetch.exe 13241300x800000000000000062453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.327{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\BinProductVersion2.32.0.2 13241300x800000000000000062452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.327{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\LinkDate07/06/2021 19:09:00 13241300x800000000000000062451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.327{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\Publisherthe git development community 13241300x800000000000000062450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.327{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fetch-pack.e|eaa13da8b960bb8f\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fetch-pack.exe 13241300x800000000000000062449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.327{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\BinProductVersion2.32.0.2 13241300x800000000000000062448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.327{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\LinkDate07/06/2021 19:09:00 13241300x800000000000000062447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.327{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\Publisherthe git development community 13241300x800000000000000062446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.327{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fast-import.|6e2bb2de2d0c9142\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fast-import.exe 13241300x800000000000000062445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.327{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\BinProductVersion2.32.0.2 13241300x800000000000000062444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.326{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\LinkDate07/06/2021 19:09:00 13241300x800000000000000062443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.326{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\Publisherthe git development community 13241300x800000000000000062442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.326{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-fast-export.|a89216de984913cf\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-fast-export.exe 13241300x800000000000000062441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.326{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\BinProductVersion2.32.0.2 13241300x800000000000000062440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.326{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\LinkDate07/06/2021 19:09:00 13241300x800000000000000062439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.326{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\Publisherthe git development community 13241300x800000000000000062438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.326{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-env--helper.|2c74ba6e4fc1d4ec\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-env--helper.exe 13241300x800000000000000062437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.326{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\BinProductVersion2.32.0.2 13241300x800000000000000062436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.326{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\LinkDate07/06/2021 19:09:00 13241300x800000000000000062435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.325{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\Publisherthe git development community 13241300x800000000000000062434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.325{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-difftool.exe|903a2ba27de6fa88\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-difftool.exe 13241300x800000000000000062433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.325{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\BinProductVersion2.32.0.2 13241300x800000000000000062432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.325{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\LinkDate07/06/2021 19:09:00 13241300x800000000000000062431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.325{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\Publisherthe git development community 13241300x800000000000000062430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.325{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff.exe|fe3e1c9d29f52286\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff.exe 13241300x800000000000000062429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.325{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\BinProductVersion2.32.0.2 13241300x800000000000000062428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.325{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\LinkDate07/06/2021 19:09:00 13241300x800000000000000062427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.325{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\Publisherthe git development community 13241300x800000000000000062426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.325{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-tree.ex|d17f2f481ab32d12\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-tree.exe 13241300x800000000000000062425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.324{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\BinProductVersion2.32.0.2 13241300x800000000000000062424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.324{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\LinkDate07/06/2021 19:09:00 13241300x800000000000000062423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.324{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\Publisherthe git development community 13241300x800000000000000062422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.324{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-index.e|3e5a108a9f567115\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-index.exe 13241300x800000000000000062421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.324{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\BinProductVersion2.32.0.2 13241300x800000000000000062420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.324{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\LinkDate07/06/2021 19:09:00 13241300x800000000000000062419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.324{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\Publisherthe git development community 13241300x800000000000000062418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.324{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-diff-files.e|4b52f8fbf7fa68d0\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-diff-files.exe 13241300x800000000000000062417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.323{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\BinProductVersion2.32.0.2 13241300x800000000000000062416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.323{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\LinkDate07/06/2021 19:09:00 13241300x800000000000000062415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.323{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\Publisherthe git development community 13241300x800000000000000062414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.323{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-describe.exe|ca93040df5afaed5\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-describe.exe 13241300x800000000000000062413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.323{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\BinProductVersion2.32.0.2 13241300x800000000000000062412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.323{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\LinkDate07/06/2021 19:08:56 13241300x800000000000000062411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.323{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\Publisherthe git development community 13241300x800000000000000062410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.323{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-daemon.exe|4df8efdd24573ae6\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-daemon.exe 13241300x800000000000000062409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.323{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\BinProductVersion2.32.0.2 13241300x800000000000000062408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.323{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\LinkDate07/06/2021 19:09:00 13241300x800000000000000062407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.322{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\Publisherthe git development community 13241300x800000000000000062406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.322{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential.e|7fcfd8585219b3da\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential.exe 13241300x800000000000000062405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.322{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\BinProductVersion(Empty) 13241300x800000000000000062404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.322{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\LinkDate07/06/2021 19:01:06 13241300x800000000000000062403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.322{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\Publisher(Empty) 13241300x800000000000000062402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.322{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-w|dd4fe27e45e1fd6b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-wincred.exe 13241300x800000000000000062401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.322{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\BinProductVersion2.32.0.2 13241300x800000000000000062400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.322{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\LinkDate07/06/2021 19:09:00 13241300x800000000000000062399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.322{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\Publisherthe git development community 13241300x800000000000000062398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.321{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-s|f72ca269558b1404\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-store.exe 13241300x800000000000000062397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.321{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\BinProductVersion1.20.0.0 13241300x800000000000000062396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.321{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\LinkDate09/05/2019 15:02:13 13241300x800000000000000062395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.321{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\Publishermicrosoft corporation 13241300x800000000000000062394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.321{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-m|55d73dc387b631bc\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-manager.exe 13241300x800000000000000062393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.321{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\BinProductVersion2.0.475.0 13241300x800000000000000062392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.321{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\LinkDate04/28/2098 11:21:42 13241300x800000000000000062391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.321{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\Publishergit-credential-manager-core 13241300x800000000000000062390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.321{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-m|425ee5c501baf173\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-manager-core.exe 13241300x800000000000000062389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.320{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\BinProductVersion(Empty) 13241300x800000000000000062388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.320{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\LinkDate01/01/1970 00:00:00 13241300x800000000000000062387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.320{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\Publisher(Empty) 13241300x800000000000000062386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.320{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-h|e6dcddb0bd298778\LowerCaseLongPathc:\program files\git\mingw64\bin\git-credential-helper-selector.exe 13241300x800000000000000062385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.320{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\BinProductVersion2.32.0.2 13241300x800000000000000062384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.320{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\LinkDate07/06/2021 19:09:00 13241300x800000000000000062383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.320{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\Publisherthe git development community 13241300x800000000000000062382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.320{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-c|2da56af252cfcd16\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-cache.exe 13241300x800000000000000062381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.319{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\BinProductVersion2.32.0.2 13241300x800000000000000062380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.319{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\LinkDate07/06/2021 19:09:00 13241300x800000000000000062379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.319{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\Publisherthe git development community 13241300x800000000000000062378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.319{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-credential-c|17175c202eed73b7\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-credential-cache--daemon.exe 13241300x800000000000000062377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.319{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\BinProductVersion2.32.0.2 13241300x800000000000000062376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.319{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\LinkDate07/06/2021 19:09:00 13241300x800000000000000062375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.319{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\Publisherthe git development community 13241300x800000000000000062374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.319{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-count-object|9f950d53a6a442ff\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-count-objects.exe 13241300x800000000000000062373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.318{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\BinProductVersion2.32.0.2 13241300x800000000000000062372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.318{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\LinkDate07/06/2021 19:09:00 13241300x800000000000000062371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.318{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\Publisherthe git development community 13241300x800000000000000062370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.318{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-config.exe|e75be4b0a6770696\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-config.exe 13241300x800000000000000062369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.318{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\BinProductVersion2.32.0.2 13241300x800000000000000062368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.318{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\LinkDate07/06/2021 19:09:00 13241300x800000000000000062367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.318{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\Publisherthe git development community 13241300x800000000000000062366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.318{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit.exe|6e74d5dae67b444b\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit.exe 13241300x800000000000000062365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.318{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\BinProductVersion2.32.0.2 13241300x800000000000000062364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.318{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\LinkDate07/06/2021 19:09:00 13241300x800000000000000062363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.317{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\Publisherthe git development community 13241300x800000000000000062362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.317{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit-tree.|e83233ce3cd9ee79\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit-tree.exe 13241300x800000000000000062361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.317{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\BinProductVersion2.32.0.2 13241300x800000000000000062360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.317{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\LinkDate07/06/2021 19:09:00 13241300x800000000000000062359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.317{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\Publisherthe git development community 13241300x800000000000000062358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.317{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-commit-graph|d249b2d5436de447\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-commit-graph.exe 13241300x800000000000000062357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.317{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\BinProductVersion2.32.0.2 13241300x800000000000000062356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.317{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\LinkDate07/06/2021 19:09:00 13241300x800000000000000062355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.316{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\Publisherthe git development community 13241300x800000000000000062354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.316{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-column.exe|218c406abdb7f5d8\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-column.exe 13241300x800000000000000062353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.316{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\BinProductVersion2.32.0.2 13241300x800000000000000062352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.316{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\LinkDate07/06/2021 19:01:04 13241300x800000000000000062351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.316{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\Publisherthe git development community 13241300x800000000000000062350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.316{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cmd.exe|7955156508a74f3e\LowerCaseLongPathc:\program files\git\git-cmd.exe 13241300x800000000000000062349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.315{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\BinProductVersion2.32.0.2 13241300x800000000000000062348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.315{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\LinkDate07/06/2021 19:09:00 13241300x800000000000000062347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.315{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\Publisherthe git development community 13241300x800000000000000062346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.315{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-clone.exe|d02aef8e1b723e2e\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-clone.exe 13241300x800000000000000062345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.315{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\BinProductVersion2.32.0.2 13241300x800000000000000062344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.315{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\LinkDate07/06/2021 19:09:00 13241300x800000000000000062343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.315{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\Publisherthe git development community 13241300x800000000000000062342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.315{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-clean.exe|d4eb9fccf53085a4\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-clean.exe 13241300x800000000000000062341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.315{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\BinProductVersion2.32.0.2 13241300x800000000000000062340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.315{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\LinkDate07/06/2021 19:09:00 13241300x800000000000000062339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.314{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\Publisherthe git development community 13241300x800000000000000062338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.314{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\git-cherry.exe|e775100e4df4ef32\LowerCaseLongPathc:\program files\git\mingw64\libexec\git-core\git-cherry.exe 23542300x800000000000000028915Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:17.140{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B277903F89EB723296B68B556075110,SHA256=846C18A778C38DD20367F7BB1067562DC01C8F0FCA2859E30B33DD1A29179E06,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000063692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.461{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\BinProductVersion(Empty) 13241300x800000000000000063691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.461{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\LinkDate01/01/1970 00:00:00 13241300x800000000000000063690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.461{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\Publisher(Empty) 13241300x800000000000000063689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.461{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tty.exe|f000538bcc1d4307\LowerCaseLongPathc:\program files\git\usr\bin\tty.exe 13241300x800000000000000063688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.461{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\BinProductVersion(Empty) 13241300x800000000000000063687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.461{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.461{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\Publisher(Empty) 13241300x800000000000000063685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.461{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tsort.exe|cfc2b8bfaeea292f\LowerCaseLongPathc:\program files\git\usr\bin\tsort.exe 13241300x800000000000000063684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\BinProductVersion(Empty) 13241300x800000000000000063683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\LinkDate01/01/1970 00:00:00 13241300x800000000000000063682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\Publisher(Empty) 13241300x800000000000000063681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tset.exe|9472efe3f6c3d05\LowerCaseLongPathc:\program files\git\usr\bin\tset.exe 13241300x800000000000000063680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\BinProductVersion(Empty) 13241300x800000000000000063679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\LinkDate01/01/1970 00:00:00 13241300x800000000000000063678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\Publisher(Empty) 13241300x800000000000000063677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\trust.exe|8799eae1c6ff22d6\LowerCaseLongPathc:\program files\git\usr\bin\trust.exe 13241300x800000000000000063676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\BinProductVersion(Empty) 13241300x800000000000000063675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\LinkDate01/01/1970 00:00:00 13241300x800000000000000063674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\Publisher(Empty) 13241300x800000000000000063673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\truncate.exe|c8ba1860e9b89c7c\LowerCaseLongPathc:\program files\git\usr\bin\truncate.exe 13241300x800000000000000063672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\BinProductVersion(Empty) 13241300x800000000000000063671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.460{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\LinkDate01/01/1970 00:00:00 13241300x800000000000000063670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\Publisher(Empty) 13241300x800000000000000063669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\true.exe|63cbe5fc93313f79\LowerCaseLongPathc:\program files\git\usr\bin\true.exe 13241300x800000000000000063668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\BinProductVersion(Empty) 13241300x800000000000000063667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\LinkDate01/01/1970 00:00:00 13241300x800000000000000063666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\Publisher(Empty) 13241300x800000000000000063665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tr.exe|8da93faf0d2cfacc\LowerCaseLongPathc:\program files\git\usr\bin\tr.exe 13241300x800000000000000063664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\BinProductVersion(Empty) 13241300x800000000000000063663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\LinkDate01/01/1970 00:00:00 13241300x800000000000000063662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\Publisher(Empty) 13241300x800000000000000063661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tput.exe|b8002a648477f6bb\LowerCaseLongPathc:\program files\git\usr\bin\tput.exe 13241300x800000000000000063660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\BinProductVersion(Empty) 13241300x800000000000000063659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.459{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\LinkDate01/01/1970 00:00:00 13241300x800000000000000063658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\Publisher(Empty) 13241300x800000000000000063657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\touch.exe|be858ef96bb42d35\LowerCaseLongPathc:\program files\git\usr\bin\touch.exe 13241300x800000000000000063656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\BinProductVersion(Empty) 13241300x800000000000000063655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\LinkDate01/01/1970 00:00:00 13241300x800000000000000063654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\Publisher(Empty) 13241300x800000000000000063653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\toe.exe|575b8daf3eccb5a3\LowerCaseLongPathc:\program files\git\usr\bin\toe.exe 13241300x800000000000000063652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\BinProductVersion(Empty) 13241300x800000000000000063651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\Publisher(Empty) 13241300x800000000000000063649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\timeout.exe|f5ffdc28654e342e\LowerCaseLongPathc:\program files\git\usr\bin\timeout.exe 13241300x800000000000000063648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\BinProductVersion(Empty) 13241300x800000000000000063647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.458{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\LinkDate01/01/1970 00:00:00 13241300x800000000000000063646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.457{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\Publisher(Empty) 13241300x800000000000000063645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.457{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tig.exe|20d76728e205d2a5\LowerCaseLongPathc:\program files\git\usr\bin\tig.exe 13241300x800000000000000063644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.457{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\BinProductVersion(Empty) 13241300x800000000000000063643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.457{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\LinkDate01/01/1970 00:00:00 13241300x800000000000000063642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.457{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\Publisher(Empty) 13241300x800000000000000063641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.457{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tic.exe|c473b2ddd094de9a\LowerCaseLongPathc:\program files\git\usr\bin\tic.exe 13241300x800000000000000063640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.457{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\BinProductVersion(Empty) 13241300x800000000000000063639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.457{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.457{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\Publisher(Empty) 13241300x800000000000000063637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.457{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\test.exe|74f4cc67b5c7e4f\LowerCaseLongPathc:\program files\git\usr\bin\test.exe 13241300x800000000000000063636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.456{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\BinProductVersion(Empty) 13241300x800000000000000063635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.456{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\LinkDate01/01/1970 00:00:00 13241300x800000000000000063634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.456{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\Publisher(Empty) 13241300x800000000000000063633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.456{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tee.exe|991299bf040bfe2d\LowerCaseLongPathc:\program files\git\usr\bin\tee.exe 13241300x800000000000000063632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.456{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\BinProductVersion8.6.2.11 13241300x800000000000000063631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.456{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\LinkDate01/01/1970 00:00:00 13241300x800000000000000063630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.456{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\Publisheractivestate corporation 13241300x800000000000000063629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.456{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tclsh86.exe|4994964426e57062\LowerCaseLongPathc:\program files\git\mingw64\bin\tclsh86.exe 13241300x800000000000000063628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.455{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\BinProductVersion8.6.2.11 13241300x800000000000000063627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.455{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\LinkDate01/01/1970 00:00:00 13241300x800000000000000063626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.455{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\Publisheractivestate corporation 13241300x800000000000000063625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.455{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tclsh.exe|c680bc50ff765224\LowerCaseLongPathc:\program files\git\mingw64\bin\tclsh.exe 13241300x800000000000000063624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.455{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\BinProductVersion(Empty) 13241300x800000000000000063623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.455{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\LinkDate01/01/1970 00:00:00 13241300x800000000000000063622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.455{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\Publisher(Empty) 13241300x800000000000000063621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.454{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tar.exe|1dbed49e1ef6b70d\LowerCaseLongPathc:\program files\git\usr\bin\tar.exe 13241300x800000000000000063620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.454{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\BinProductVersion(Empty) 13241300x800000000000000063619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.454{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.454{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\Publisher(Empty) 13241300x800000000000000063617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.454{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tail.exe|6acc971f2533f90e\LowerCaseLongPathc:\program files\git\usr\bin\tail.exe 13241300x800000000000000063616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.454{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\BinProductVersion(Empty) 13241300x800000000000000063615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.454{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.454{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\Publisher(Empty) 13241300x800000000000000063613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.454{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tac.exe|e73e5023bd74098e\LowerCaseLongPathc:\program files\git\usr\bin\tac.exe 13241300x800000000000000063612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.453{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\BinProductVersion(Empty) 13241300x800000000000000063611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.453{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\LinkDate01/01/1970 00:00:00 13241300x800000000000000063610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.453{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\Publisher(Empty) 13241300x800000000000000063609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.453{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tabs.exe|743d286408f97c6a\LowerCaseLongPathc:\program files\git\usr\bin\tabs.exe 13241300x800000000000000063608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.453{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\BinProductVersion(Empty) 13241300x800000000000000063607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.453{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\LinkDate01/01/1970 00:00:00 13241300x800000000000000063606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.453{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\Publisher(Empty) 13241300x800000000000000063605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.453{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sync.exe|5031e1e27bd724c8\LowerCaseLongPathc:\program files\git\usr\bin\sync.exe 13241300x800000000000000063604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.452{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\BinProductVersion(Empty) 13241300x800000000000000063603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.452{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\LinkDate01/01/1970 00:00:00 13241300x800000000000000063602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.452{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\Publisher(Empty) 13241300x800000000000000063601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.452{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sum.exe|624682ccf5cba616\LowerCaseLongPathc:\program files\git\usr\bin\sum.exe 13241300x800000000000000063600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.452{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\BinProductVersion(Empty) 13241300x800000000000000063599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.452{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\LinkDate01/01/1970 00:00:00 13241300x800000000000000063598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.452{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\Publisher(Empty) 13241300x800000000000000063597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.452{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\stty.exe|4906c606dce675\LowerCaseLongPathc:\program files\git\usr\bin\stty.exe 13241300x800000000000000063596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.451{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\BinProductVersion(Empty) 13241300x800000000000000063595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.451{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\LinkDate03/26/2021 22:24:41 13241300x800000000000000063594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.451{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\Publisher(Empty) 13241300x800000000000000063593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.451{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\strace.exe|2e71f496c5d1f2c3\LowerCaseLongPathc:\program files\git\usr\bin\strace.exe 13241300x800000000000000063592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.451{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\BinProductVersion(Empty) 13241300x800000000000000063591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.451{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\LinkDate01/01/1970 00:00:00 13241300x800000000000000063590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.451{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\Publisher(Empty) 13241300x800000000000000063589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.451{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\stat.exe|1f444a67c4725e6b\LowerCaseLongPathc:\program files\git\usr\bin\stat.exe 13241300x800000000000000063588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\BinProductVersion(Empty) 13241300x800000000000000063587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\LinkDate03/26/2021 22:24:41 13241300x800000000000000063586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\Publisher(Empty) 13241300x800000000000000063585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssp.exe|e0a08db5e80ffcdd\LowerCaseLongPathc:\program files\git\usr\bin\ssp.exe 13241300x800000000000000063584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\BinProductVersion(Empty) 13241300x800000000000000063583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\LinkDate01/01/1970 00:00:00 13241300x800000000000000063582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\Publisher(Empty) 13241300x800000000000000063581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sshd.exe|5f6404603331db89\LowerCaseLongPathc:\program files\git\usr\bin\sshd.exe 13241300x800000000000000063580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\BinProductVersion(Empty) 13241300x800000000000000063579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\Publisher(Empty) 13241300x800000000000000063577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh.exe|4c8b77151293e36e\LowerCaseLongPathc:\program files\git\usr\bin\ssh.exe 13241300x800000000000000063576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.450{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\BinProductVersion(Empty) 13241300x800000000000000063575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\LinkDate01/01/1970 00:00:00 13241300x800000000000000063574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\Publisher(Empty) 13241300x800000000000000063573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-sk-helper.ex|526e238c0df646d1\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-sk-helper.exe 13241300x800000000000000063572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\BinProductVersion(Empty) 13241300x800000000000000063571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\LinkDate01/01/1970 00:00:00 13241300x800000000000000063570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\Publisher(Empty) 13241300x800000000000000063569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-pkcs11-helpe|d67a44ebac5d5f31\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-pkcs11-helper.exe 13241300x800000000000000063568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\BinProductVersion(Empty) 13241300x800000000000000063567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\LinkDate01/01/1970 00:00:00 13241300x800000000000000063566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\Publisher(Empty) 13241300x800000000000000063565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-pageant.exe|f558d3a8a2e8201c\LowerCaseLongPathc:\program files\git\usr\bin\ssh-pageant.exe 13241300x800000000000000063564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\BinProductVersion(Empty) 13241300x800000000000000063563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.449{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\LinkDate01/01/1970 00:00:00 13241300x800000000000000063562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\Publisher(Empty) 13241300x800000000000000063561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keysign.exe|9428dc5f875b1cbe\LowerCaseLongPathc:\program files\git\usr\lib\ssh\ssh-keysign.exe 13241300x800000000000000063560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\BinProductVersion(Empty) 13241300x800000000000000063559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\LinkDate01/01/1970 00:00:00 13241300x800000000000000063558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\Publisher(Empty) 13241300x800000000000000063557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keyscan.exe|54318a1f39629d66\LowerCaseLongPathc:\program files\git\usr\bin\ssh-keyscan.exe 13241300x800000000000000063556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\BinProductVersion(Empty) 13241300x800000000000000063555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\Publisher(Empty) 13241300x800000000000000063553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-keygen.exe|4fd9485267bf242f\LowerCaseLongPathc:\program files\git\usr\bin\ssh-keygen.exe 13241300x800000000000000063552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\BinProductVersion(Empty) 13241300x800000000000000063551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.448{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.447{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\Publisher(Empty) 13241300x800000000000000063549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.447{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-agent.exe|1411e9f6efc17c0f\LowerCaseLongPathc:\program files\git\usr\bin\ssh-agent.exe 13241300x800000000000000063548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.447{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\BinProductVersion(Empty) 13241300x800000000000000063547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.447{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\LinkDate01/01/1970 00:00:00 13241300x800000000000000063546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.447{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\Publisher(Empty) 13241300x800000000000000063545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.447{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssh-add.exe|52771e80916527e6\LowerCaseLongPathc:\program files\git\usr\bin\ssh-add.exe 13241300x800000000000000063544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.447{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\BinProductVersion(Empty) 13241300x800000000000000063543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.447{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\LinkDate01/01/1970 00:00:00 13241300x800000000000000063542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.447{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\Publisher(Empty) 13241300x800000000000000063541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\split.exe|6b78af18101c82a4\LowerCaseLongPathc:\program files\git\usr\bin\split.exe 13241300x800000000000000063540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\BinProductVersion(Empty) 13241300x800000000000000063539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\LinkDate01/01/1970 00:00:00 13241300x800000000000000063538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\Publisher(Empty) 13241300x800000000000000063537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sort.exe|5a1eaeebcdfdfa5b\LowerCaseLongPathc:\program files\git\usr\bin\sort.exe 13241300x800000000000000063536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\BinProductVersion(Empty) 13241300x800000000000000063535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\LinkDate01/01/1970 00:00:00 13241300x800000000000000063534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\Publisher(Empty) 13241300x800000000000000063533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sleep.exe|1e8f62417166ba32\LowerCaseLongPathc:\program files\git\usr\bin\sleep.exe 13241300x800000000000000063532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\BinProductVersion(Empty) 13241300x800000000000000063531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.446{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\LinkDate01/01/1970 00:00:00 13241300x800000000000000063530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.445{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\Publisher(Empty) 13241300x800000000000000063529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.445{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\shuf.exe|cfb51deed9f02428\LowerCaseLongPathc:\program files\git\usr\bin\shuf.exe 13241300x800000000000000063528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.445{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\BinProductVersion(Empty) 13241300x800000000000000063527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.445{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\LinkDate01/01/1970 00:00:00 13241300x800000000000000063526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.445{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\Publisher(Empty) 13241300x800000000000000063525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.445{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\shred.exe|43071571d2a31944\LowerCaseLongPathc:\program files\git\usr\bin\shred.exe 13241300x800000000000000063524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.445{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\BinProductVersion(Empty) 13241300x800000000000000063523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.445{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\LinkDate01/01/1970 00:00:00 13241300x800000000000000063522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.445{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\Publisher(Empty) 13241300x800000000000000063521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.444{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha512sum.exe|f96cb84497fcdcc3\LowerCaseLongPathc:\program files\git\usr\bin\sha512sum.exe 13241300x800000000000000063520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.444{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\BinProductVersion(Empty) 13241300x800000000000000063519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.444{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\LinkDate01/01/1970 00:00:00 13241300x800000000000000063518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.444{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\Publisher(Empty) 13241300x800000000000000063517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.444{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha384sum.exe|ea7c3d331520b41a\LowerCaseLongPathc:\program files\git\usr\bin\sha384sum.exe 13241300x800000000000000063516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.444{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\BinProductVersion(Empty) 13241300x800000000000000063515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.444{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\LinkDate01/01/1970 00:00:00 13241300x800000000000000063514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.444{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\Publisher(Empty) 13241300x800000000000000063513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.444{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha256sum.exe|d1427df5ba9eb839\LowerCaseLongPathc:\program files\git\usr\bin\sha256sum.exe 13241300x800000000000000063512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.443{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\BinProductVersion(Empty) 13241300x800000000000000063511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.443{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.443{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\Publisher(Empty) 13241300x800000000000000063509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.443{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha224sum.exe|fc63c300ff87f33f\LowerCaseLongPathc:\program files\git\usr\bin\sha224sum.exe 13241300x800000000000000063508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.443{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\BinProductVersion(Empty) 13241300x800000000000000063507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.443{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.443{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\Publisher(Empty) 13241300x800000000000000063505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.443{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sha1sum.exe|f6d44c369684cd7e\LowerCaseLongPathc:\program files\git\usr\bin\sha1sum.exe 13241300x800000000000000063504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.442{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\BinProductVersion2.32.0.2 13241300x800000000000000063503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.442{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\LinkDate07/06/2021 19:01:05 13241300x800000000000000063502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.442{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\Publisherthe git development community 13241300x800000000000000063501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.442{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sh.exe|464d78a7aeef6674\LowerCaseLongPathc:\program files\git\bin\sh.exe 13241300x800000000000000063500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.442{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\BinProductVersion(Empty) 13241300x800000000000000063499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.442{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\LinkDate12/04/2018 10:21:15 13241300x800000000000000063498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.442{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\Publisher(Empty) 13241300x800000000000000063497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.442{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sh.exe|1bb90a29aab21f25\LowerCaseLongPathc:\program files\git\usr\bin\sh.exe 13241300x800000000000000063496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.442{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\BinProductVersion(Empty) 13241300x800000000000000063495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.442{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\LinkDate01/01/1970 00:00:00 13241300x800000000000000063494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.441{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\Publisher(Empty) 13241300x800000000000000063493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.441{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sftp.exe|e3eb45112610e0ab\LowerCaseLongPathc:\program files\git\usr\bin\sftp.exe 13241300x800000000000000063492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.441{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\BinProductVersion(Empty) 13241300x800000000000000063491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.441{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\LinkDate01/01/1970 00:00:00 13241300x800000000000000063490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.441{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\Publisher(Empty) 13241300x800000000000000063489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.441{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sftp-server.exe|88c04bc0a95e22d3\LowerCaseLongPathc:\program files\git\usr\lib\ssh\sftp-server.exe 13241300x800000000000000063488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.441{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\BinProductVersion(Empty) 13241300x800000000000000063487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.441{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\LinkDate01/01/1970 00:00:00 13241300x800000000000000063486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.440{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\Publisher(Empty) 13241300x800000000000000063485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.440{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sexp-conv.exe|ff49bfd2063ca556\LowerCaseLongPathc:\program files\git\mingw64\bin\sexp-conv.exe 13241300x800000000000000063484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.440{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\BinProductVersion(Empty) 13241300x800000000000000063483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.440{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\LinkDate01/01/1970 00:00:00 13241300x800000000000000063482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.440{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\Publisher(Empty) 13241300x800000000000000063481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.440{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sexp-conv.exe|8bde837678ce07ac\LowerCaseLongPathc:\program files\git\usr\bin\sexp-conv.exe 13241300x800000000000000063480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.440{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\BinProductVersion(Empty) 13241300x800000000000000063479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.440{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\LinkDate03/26/2021 22:24:40 13241300x800000000000000063478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.439{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\Publisher(Empty) 13241300x800000000000000063477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.439{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setmetamode.exe|2c2c0eb5bddaec82\LowerCaseLongPathc:\program files\git\usr\bin\setmetamode.exe 13241300x800000000000000063476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.439{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\BinProductVersion(Empty) 13241300x800000000000000063475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.439{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\LinkDate03/26/2021 22:24:40 13241300x800000000000000063474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.439{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\Publisher(Empty) 13241300x800000000000000063473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.439{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setfacl.exe|3de57f6a3e2d7242\LowerCaseLongPathc:\program files\git\usr\bin\setfacl.exe 13241300x800000000000000063472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.439{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\BinProductVersion(Empty) 13241300x800000000000000063471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.439{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\LinkDate01/01/1970 00:00:00 13241300x800000000000000063470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.439{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\Publisher(Empty) 13241300x800000000000000063469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.438{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\seq.exe|1f2e494e389bf41a\LowerCaseLongPathc:\program files\git\usr\bin\seq.exe 13241300x800000000000000063468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.438{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\BinProductVersion(Empty) 13241300x800000000000000063467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.438{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.438{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\Publisher(Empty) 13241300x800000000000000063465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.438{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sed.exe|cef6dc9db4fd3f4e\LowerCaseLongPathc:\program files\git\usr\bin\sed.exe 13241300x800000000000000063464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.438{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\BinProductVersion(Empty) 13241300x800000000000000063463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.438{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\LinkDate01/01/1970 00:00:00 13241300x800000000000000063462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.438{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\Publisher(Empty) 13241300x800000000000000063461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.438{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdiff.exe|4d47b8c2d2524c04\LowerCaseLongPathc:\program files\git\usr\bin\sdiff.exe 13241300x800000000000000063460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.437{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\BinProductVersion(Empty) 13241300x800000000000000063459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.437{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\LinkDate01/01/1970 00:00:00 13241300x800000000000000063458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.437{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\Publisher(Empty) 13241300x800000000000000063457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.437{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scp.exe|7ba9f24b1c00395a\LowerCaseLongPathc:\program files\git\usr\bin\scp.exe 13241300x800000000000000063456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.437{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\BinProductVersion(Empty) 13241300x800000000000000063455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.437{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.437{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\Publisher(Empty) 13241300x800000000000000063453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.437{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scdaemon.exe|53479827260a265e\LowerCaseLongPathc:\program files\git\usr\lib\gnupg\scdaemon.exe 13241300x800000000000000063452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.436{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\BinProductVersion(Empty) 13241300x800000000000000063451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.436{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\LinkDate01/01/1970 00:00:00 13241300x800000000000000063450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.436{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\Publisher(Empty) 13241300x800000000000000063449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.436{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rvim.exe|58eacdb700b2ffd3\LowerCaseLongPathc:\program files\git\usr\bin\rvim.exe 13241300x800000000000000063448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.436{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\BinProductVersion(Empty) 13241300x800000000000000063447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.436{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\LinkDate01/01/1970 00:00:00 13241300x800000000000000063446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.436{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\Publisher(Empty) 13241300x800000000000000063445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.436{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rview.exe|1b8d8c7426c49f6d\LowerCaseLongPathc:\program files\git\usr\bin\rview.exe 13241300x800000000000000063444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.436{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\BinProductVersion(Empty) 13241300x800000000000000063443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.436{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\LinkDate01/01/1970 00:00:00 13241300x800000000000000063442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\Publisher(Empty) 13241300x800000000000000063441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\runcon.exe|9d9d38ca848c2576\LowerCaseLongPathc:\program files\git\usr\bin\runcon.exe 13241300x800000000000000063440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\BinProductVersion(Empty) 13241300x800000000000000063439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\LinkDate01/01/1970 00:00:00 13241300x800000000000000063438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\Publisher(Empty) 13241300x800000000000000063437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rnano.exe|59695cb2874e092d\LowerCaseLongPathc:\program files\git\usr\bin\rnano.exe 13241300x800000000000000063436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\BinProductVersion(Empty) 13241300x800000000000000063435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\LinkDate01/01/1970 00:00:00 13241300x800000000000000063434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\Publisher(Empty) 13241300x800000000000000063433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rmt.exe|dda7820342efab83\LowerCaseLongPathc:\program files\git\usr\lib\tar\rmt.exe 13241300x800000000000000063432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.435{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\BinProductVersion(Empty) 13241300x800000000000000063431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\LinkDate01/01/1970 00:00:00 13241300x800000000000000063430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\Publisher(Empty) 13241300x800000000000000063429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rmdir.exe|1053bde30940b254\LowerCaseLongPathc:\program files\git\usr\bin\rmdir.exe 13241300x800000000000000063428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\BinProductVersion(Empty) 13241300x800000000000000063427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\LinkDate01/01/1970 00:00:00 13241300x800000000000000063426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\Publisher(Empty) 13241300x800000000000000063425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rm.exe|1eee459e666dde29\LowerCaseLongPathc:\program files\git\usr\bin\rm.exe 13241300x800000000000000063424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\BinProductVersion(Empty) 13241300x800000000000000063423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\LinkDate01/01/1970 00:00:00 13241300x800000000000000063422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\Publisher(Empty) 13241300x800000000000000063421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.434{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\reset.exe|bb8c4a8b474d3d85\LowerCaseLongPathc:\program files\git\usr\bin\reset.exe 13241300x800000000000000063420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.433{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\BinProductVersion(Empty) 13241300x800000000000000063419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.433{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\LinkDate03/26/2021 22:24:40 13241300x800000000000000063418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.433{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\Publisher(Empty) 13241300x800000000000000063417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.433{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\regtool.exe|2c34de713dfed575\LowerCaseLongPathc:\program files\git\usr\bin\regtool.exe 13241300x800000000000000063416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.433{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\BinProductVersion(Empty) 13241300x800000000000000063415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.433{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\LinkDate06/19/2025 15:30:53 13241300x800000000000000063414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.433{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\Publisher(Empty) 13241300x800000000000000063413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.433{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\recode-sr-latin.|fef01b1a870bf6ba\LowerCaseLongPathc:\program files\git\usr\bin\recode-sr-latin.exe 13241300x800000000000000063412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.432{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\BinProductVersion(Empty) 13241300x800000000000000063411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.432{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\LinkDate01/01/1970 00:00:00 13241300x800000000000000063410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.432{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\Publisher(Empty) 13241300x800000000000000063409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.432{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\rebase.exe|227817bf057aff56\LowerCaseLongPathc:\program files\git\usr\bin\rebase.exe 13241300x800000000000000063408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.432{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\BinProductVersion(Empty) 13241300x800000000000000063407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.432{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\LinkDate01/01/1970 00:00:00 13241300x800000000000000063406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.432{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\Publisher(Empty) 13241300x800000000000000063405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.432{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\realpath.exe|c0afeb0f661fb0d7\LowerCaseLongPathc:\program files\git\usr\bin\realpath.exe 13241300x800000000000000063404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.431{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\BinProductVersion(Empty) 13241300x800000000000000063403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.431{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\LinkDate01/01/1970 00:00:00 13241300x800000000000000063402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.431{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\Publisher(Empty) 13241300x800000000000000063401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.431{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\readlink.exe|95adf512ea71f082\LowerCaseLongPathc:\program files\git\usr\bin\readlink.exe 13241300x800000000000000063400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.431{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\BinProductVersion(Empty) 13241300x800000000000000063399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.431{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\LinkDate01/01/1970 00:00:00 13241300x800000000000000063398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.431{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\Publisher(Empty) 13241300x800000000000000063397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.431{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pwd.exe|d284abac49ab21f2\LowerCaseLongPathc:\program files\git\usr\bin\pwd.exe 13241300x800000000000000063396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.431{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\BinProductVersion(Empty) 13241300x800000000000000063395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.430{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\LinkDate01/01/1970 00:00:00 13241300x800000000000000063394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.430{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\Publisher(Empty) 13241300x800000000000000063393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.430{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pwcat.exe|8b9017bb0d797817\LowerCaseLongPathc:\program files\git\usr\lib\awk\pwcat.exe 13241300x800000000000000063392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.430{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\BinProductVersion(Empty) 13241300x800000000000000063391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.430{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\LinkDate01/01/1970 00:00:00 13241300x800000000000000063390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.430{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\Publisher(Empty) 13241300x800000000000000063389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.430{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ptx.exe|e8f065049d3c881d\LowerCaseLongPathc:\program files\git\usr\bin\ptx.exe 13241300x800000000000000063388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.430{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\BinProductVersion(Empty) 13241300x800000000000000063387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.430{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\LinkDate01/01/1970 00:00:00 13241300x800000000000000063386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.429{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\Publisher(Empty) 13241300x800000000000000063385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.429{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\psl.exe|c168c852dc0b9a95\LowerCaseLongPathc:\program files\git\usr\bin\psl.exe 13241300x800000000000000063384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.429{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\BinProductVersion(Empty) 13241300x800000000000000063383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.429{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\LinkDate03/26/2021 22:24:40 13241300x800000000000000063382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.429{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\Publisher(Empty) 13241300x800000000000000063381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.429{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ps.exe|c0f5c870a00cafd8\LowerCaseLongPathc:\program files\git\usr\bin\ps.exe 13241300x800000000000000063380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.429{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\BinProductVersion(Empty) 13241300x800000000000000063379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.429{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\LinkDate01/01/1970 00:00:00 13241300x800000000000000063378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.429{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\Publisher(Empty) 13241300x800000000000000063377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.428{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\proxy-lookup.exe|1b18ebec8d870bc5\LowerCaseLongPathc:\program files\git\mingw64\bin\proxy-lookup.exe 13241300x800000000000000063376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.428{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\BinProductVersion(Empty) 13241300x800000000000000063375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.428{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\LinkDate01/01/1970 00:00:00 13241300x800000000000000063374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.428{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\Publisher(Empty) 13241300x800000000000000063373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.428{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\printf.exe|89ffa032389ba988\LowerCaseLongPathc:\program files\git\usr\bin\printf.exe 13241300x800000000000000063372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.428{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\BinProductVersion(Empty) 13241300x800000000000000063371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.428{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\LinkDate01/01/1970 00:00:00 13241300x800000000000000063370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.428{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\Publisher(Empty) 13241300x800000000000000063369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.428{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\printenv.exe|f3bb2a19296ad0a0\LowerCaseLongPathc:\program files\git\usr\bin\printenv.exe 13241300x800000000000000063368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.427{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\BinProductVersion(Empty) 13241300x800000000000000063367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.427{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\LinkDate01/01/1970 00:00:00 13241300x800000000000000063366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.427{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\Publisher(Empty) 13241300x800000000000000063365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.427{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pr.exe|4e05d5efd64cfc18\LowerCaseLongPathc:\program files\git\usr\bin\pr.exe 13241300x800000000000000063364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.427{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\BinProductVersion(Empty) 13241300x800000000000000063363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.427{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\LinkDate01/01/1970 00:00:00 13241300x800000000000000063362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.427{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\Publisher(Empty) 13241300x800000000000000063361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.427{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pluginviewer.exe|f40dc68beb42a176\LowerCaseLongPathc:\program files\git\usr\bin\pluginviewer.exe 13241300x800000000000000063360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.426{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\BinProductVersion(Empty) 13241300x800000000000000063359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.426{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\LinkDate03/26/2021 22:24:40 13241300x800000000000000063358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.426{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\Publisher(Empty) 13241300x800000000000000063357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.426{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pldd.exe|2d0b12ded17c614c\LowerCaseLongPathc:\program files\git\usr\bin\pldd.exe 13241300x800000000000000063356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.426{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\BinProductVersion(Empty) 13241300x800000000000000063355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.426{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\LinkDate01/01/1970 00:00:00 13241300x800000000000000063354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.426{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\Publisher(Empty) 13241300x800000000000000063353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.426{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pkcs1-conv.exe|8fa2ffc9f6076c8c\LowerCaseLongPathc:\program files\git\mingw64\bin\pkcs1-conv.exe 13241300x800000000000000063352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.425{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\BinProductVersion(Empty) 13241300x800000000000000063351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.425{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\LinkDate01/01/1970 00:00:00 13241300x800000000000000063350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.425{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\Publisher(Empty) 13241300x800000000000000063349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.425{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pkcs1-conv.exe|5cc5d2e050d9b487\LowerCaseLongPathc:\program files\git\usr\bin\pkcs1-conv.exe 13241300x800000000000000063348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.425{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\BinProductVersion(Empty) 13241300x800000000000000063347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.425{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\LinkDate01/01/1970 00:00:00 13241300x800000000000000063346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.425{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\Publisher(Empty) 13241300x800000000000000063345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.425{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinky.exe|852da7421d64c177\LowerCaseLongPathc:\program files\git\usr\bin\pinky.exe 13241300x800000000000000063344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.425{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\BinProductVersion(Empty) 13241300x800000000000000063343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.425{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\LinkDate01/01/1970 00:00:00 13241300x800000000000000063342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.424{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\Publisher(Empty) 13241300x800000000000000063341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.424{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinentry.exe|5a096695f03f1450\LowerCaseLongPathc:\program files\git\usr\bin\pinentry.exe 13241300x800000000000000063340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.424{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\BinProductVersion(Empty) 13241300x800000000000000063339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.424{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\LinkDate01/01/1970 00:00:00 13241300x800000000000000063338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.424{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\Publisher(Empty) 13241300x800000000000000063337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.424{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pinentry-w32.exe|24e0f01a1d2b39e8\LowerCaseLongPathc:\program files\git\usr\bin\pinentry-w32.exe 13241300x800000000000000063336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.424{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\BinProductVersion(Empty) 13241300x800000000000000063335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.424{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\LinkDate01/01/1970 00:00:00 13241300x800000000000000063334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.424{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\Publisher(Empty) 13241300x800000000000000063333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.423{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perl5.32.1.exe|c43f6e17b4097a52\LowerCaseLongPathc:\program files\git\usr\bin\perl5.32.1.exe 13241300x800000000000000063332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.423{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\BinProductVersion(Empty) 13241300x800000000000000063331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.423{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\LinkDate01/01/1970 00:00:00 13241300x800000000000000063330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.423{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\Publisher(Empty) 13241300x800000000000000063329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.423{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perl.exe|196d1afec7915eef\LowerCaseLongPathc:\program files\git\usr\bin\perl.exe 13241300x800000000000000063328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.423{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\BinProductVersion(Empty) 13241300x800000000000000063327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.423{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\LinkDate01/01/1970 00:00:00 13241300x800000000000000063326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.423{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\Publisher(Empty) 13241300x800000000000000063325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.422{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pdftotext.exe|69d0d84ca547f7ea\LowerCaseLongPathc:\program files\git\mingw64\bin\pdftotext.exe 13241300x800000000000000063324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.422{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\BinProductVersion(Empty) 13241300x800000000000000063323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.422{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.422{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\Publisher(Empty) 13241300x800000000000000063321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.422{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pathchk.exe|815a4f847b55a65e\LowerCaseLongPathc:\program files\git\usr\bin\pathchk.exe 13241300x800000000000000063320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.422{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\BinProductVersion(Empty) 13241300x800000000000000063319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.422{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\LinkDate01/01/1970 00:00:00 13241300x800000000000000063318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.422{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\Publisher(Empty) 13241300x800000000000000063317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.422{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\patch.exe|ec282c9a0120237a\LowerCaseLongPathc:\program files\git\usr\bin\patch.exe 13241300x800000000000000063316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.421{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\BinProductVersion(Empty) 13241300x800000000000000063315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.421{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\LinkDate01/01/1970 00:00:00 13241300x800000000000000063314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.421{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\Publisher(Empty) 13241300x800000000000000063313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.421{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\paste.exe|4b6449e13df12ac2\LowerCaseLongPathc:\program files\git\usr\bin\paste.exe 13241300x800000000000000063312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.421{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\BinProductVersion(Empty) 13241300x800000000000000063311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.421{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\LinkDate03/26/2021 22:24:40 13241300x800000000000000063310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.421{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\Publisher(Empty) 13241300x800000000000000063309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.421{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\passwd.exe|3074fd45afd21d5a\LowerCaseLongPathc:\program files\git\usr\bin\passwd.exe 13241300x800000000000000063308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.420{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\BinProductVersion(Empty) 13241300x800000000000000063307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.420{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\LinkDate01/01/1970 00:00:00 13241300x800000000000000063306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.420{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\Publisher(Empty) 13241300x800000000000000063305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.420{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit.exe|8bade04a6e35b25c\LowerCaseLongPathc:\program files\git\usr\bin\p11-kit.exe 13241300x800000000000000063304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.420{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\BinProductVersion(Empty) 13241300x800000000000000063303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.420{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\LinkDate01/01/1970 00:00:00 13241300x800000000000000063302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.420{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\Publisher(Empty) 13241300x800000000000000063301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.420{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit-server.e|2949625778c73062\LowerCaseLongPathc:\program files\git\usr\libexec\p11-kit\p11-kit-server.exe 13241300x800000000000000063300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.420{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\BinProductVersion(Empty) 13241300x800000000000000063299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.420{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\LinkDate01/01/1970 00:00:00 13241300x800000000000000063298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.419{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\Publisher(Empty) 13241300x800000000000000063297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.419{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\p11-kit-remote.e|51a36587ed162938\LowerCaseLongPathc:\program files\git\usr\libexec\p11-kit\p11-kit-remote.exe 13241300x800000000000000063296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.419{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\BinProductVersion1.1.1.11 13241300x800000000000000063295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.419{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\LinkDate03/25/2021 15:20:47 13241300x800000000000000063294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.419{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\Publisherthe openssl project, https://www.openssl.org/ 13241300x800000000000000063293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.419{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|f1700e8a34a30f68\LowerCaseLongPathc:\program files\git\mingw64\bin\openssl.exe 13241300x800000000000000063292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.419{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\BinProductVersion1.1.1.11 13241300x800000000000000063291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.419{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\LinkDate01/01/1970 00:00:00 13241300x800000000000000063290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.419{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\Publisherthe openssl project, https://www.openssl.org/ 13241300x800000000000000063289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.418{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|171f6196cf43df96\LowerCaseLongPathc:\program files\git\usr\bin\openssl.exe 13241300x800000000000000063288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.418{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\BinProductVersion(Empty) 13241300x800000000000000063287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.418{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\LinkDate01/01/1970 00:00:00 13241300x800000000000000063286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.418{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\Publisher(Empty) 13241300x800000000000000063285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.418{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\odt2txt.exe|6473e7d965a98c3a\LowerCaseLongPathc:\program files\git\mingw64\bin\odt2txt.exe 13241300x800000000000000063284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.418{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\BinProductVersion(Empty) 13241300x800000000000000063283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.418{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\LinkDate01/01/1970 00:00:00 13241300x800000000000000063282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.418{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\Publisher(Empty) 13241300x800000000000000063281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.418{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\od.exe|4327ce9d2e91b98c\LowerCaseLongPathc:\program files\git\usr\bin\od.exe 13241300x800000000000000063280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.417{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\BinProductVersion(Empty) 13241300x800000000000000063279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.417{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\LinkDate01/01/1970 00:00:00 13241300x800000000000000063278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.417{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\Publisher(Empty) 13241300x800000000000000063277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.417{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\numfmt.exe|8ee1d73a41ab2c69\LowerCaseLongPathc:\program files\git\usr\bin\numfmt.exe 13241300x800000000000000063276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.417{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\BinProductVersion(Empty) 13241300x800000000000000063275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.417{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\LinkDate01/01/1970 00:00:00 13241300x800000000000000063274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.417{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\Publisher(Empty) 13241300x800000000000000063273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.417{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nproc.exe|4b998916d3f3a9c7\LowerCaseLongPathc:\program files\git\usr\bin\nproc.exe 13241300x800000000000000063272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.417{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\BinProductVersion(Empty) 13241300x800000000000000063271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.417{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\LinkDate01/01/1970 00:00:00 13241300x800000000000000063270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.416{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\Publisher(Empty) 13241300x800000000000000063269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.416{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nohup.exe|b6d740d02d8e649a\LowerCaseLongPathc:\program files\git\usr\bin\nohup.exe 13241300x800000000000000063268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.416{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\BinProductVersion(Empty) 13241300x800000000000000063267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.416{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\LinkDate01/01/1970 00:00:00 13241300x800000000000000063266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.416{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\Publisher(Empty) 13241300x800000000000000063265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.416{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nl.exe|a11f2aa66e5f8174\LowerCaseLongPathc:\program files\git\usr\bin\nl.exe 13241300x800000000000000063264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.416{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\BinProductVersion(Empty) 13241300x800000000000000063263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.416{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.416{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\Publisher(Empty) 13241300x800000000000000063261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.415{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nice.exe|d195556bd0ad811f\LowerCaseLongPathc:\program files\git\usr\bin\nice.exe 13241300x800000000000000063260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.415{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\BinProductVersion0.19.8.0 13241300x800000000000000063259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.415{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\LinkDate01/01/1970 00:00:02 13241300x800000000000000063258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.415{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\Publisherfree software foundation 13241300x800000000000000063257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.415{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ngettext.exe|b3b7f8b500cfd995\LowerCaseLongPathc:\program files\git\usr\bin\ngettext.exe 13241300x800000000000000063256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.415{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\BinProductVersion(Empty) 13241300x800000000000000063255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.415{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\LinkDate01/01/1970 00:00:00 13241300x800000000000000063254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.415{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\Publisher(Empty) 13241300x800000000000000063253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.415{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-pbkdf2.ex|97ba977fde0c62d6\LowerCaseLongPathc:\program files\git\usr\bin\nettle-pbkdf2.exe 13241300x800000000000000063252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.414{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\BinProductVersion(Empty) 13241300x800000000000000063251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.414{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\LinkDate01/01/1970 00:00:00 13241300x800000000000000063250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.414{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\Publisher(Empty) 13241300x800000000000000063249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.414{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-lfib-stre|884dcfac9ef75867\LowerCaseLongPathc:\program files\git\usr\bin\nettle-lfib-stream.exe 13241300x800000000000000063248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.414{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\BinProductVersion(Empty) 13241300x800000000000000063247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.414{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\LinkDate01/01/1970 00:00:00 13241300x800000000000000063246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.414{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\Publisher(Empty) 13241300x800000000000000063245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.414{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nettle-hash.exe|b53503615f207ffa\LowerCaseLongPathc:\program files\git\usr\bin\nettle-hash.exe 13241300x800000000000000063244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.414{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\BinProductVersion(Empty) 13241300x800000000000000063243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.414{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\LinkDate01/01/1970 00:00:00 13241300x800000000000000063242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.413{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\Publisher(Empty) 13241300x800000000000000063241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.413{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\nano.exe|b50a21634bf0fc7\LowerCaseLongPathc:\program files\git\usr\bin\nano.exe 13241300x800000000000000063240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.413{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\BinProductVersion(Empty) 13241300x800000000000000063239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.413{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.413{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\Publisher(Empty) 13241300x800000000000000063237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.413{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mv.exe|929878a0fb05584e\LowerCaseLongPathc:\program files\git\usr\bin\mv.exe 13241300x800000000000000063236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.413{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\BinProductVersion(Empty) 13241300x800000000000000063235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.413{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\LinkDate01/01/1970 00:00:01 13241300x800000000000000063234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.413{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\Publisher(Empty) 13241300x800000000000000063233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.412{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msguniq.exe|630e939fcdce570c\LowerCaseLongPathc:\program files\git\usr\bin\msguniq.exe 13241300x800000000000000063232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.412{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\BinProductVersion(Empty) 13241300x800000000000000063231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.412{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\LinkDate06/19/2025 15:30:53 13241300x800000000000000063230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.412{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\Publisher(Empty) 13241300x800000000000000063229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.412{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgunfmt.exe|e224c743b2bfe999\LowerCaseLongPathc:\program files\git\usr\bin\msgunfmt.exe 13241300x800000000000000063228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.412{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\BinProductVersion(Empty) 13241300x800000000000000063227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.412{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\LinkDate06/19/2025 15:30:53 13241300x800000000000000063226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.412{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\Publisher(Empty) 13241300x800000000000000063225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.412{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgmerge.exe|70a7277cc4533b58\LowerCaseLongPathc:\program files\git\usr\bin\msgmerge.exe 13241300x800000000000000063224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.411{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\BinProductVersion(Empty) 13241300x800000000000000063223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.411{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\LinkDate01/18/2021 06:51:50 13241300x800000000000000063222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.411{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\Publisher(Empty) 13241300x800000000000000063221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.411{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msginit.exe|5aa0cd7045e63438\LowerCaseLongPathc:\program files\git\usr\bin\msginit.exe 13241300x800000000000000063220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.411{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\BinProductVersion(Empty) 13241300x800000000000000063219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.411{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\LinkDate01/01/1970 00:00:00 13241300x800000000000000063218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.411{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\Publisher(Empty) 13241300x800000000000000063217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.411{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msggrep.exe|983cdb3b51d722e3\LowerCaseLongPathc:\program files\git\usr\bin\msggrep.exe 13241300x800000000000000063216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.411{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\BinProductVersion(Empty) 13241300x800000000000000063215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.411{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\LinkDate06/19/2025 15:30:53 13241300x800000000000000063214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.410{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\Publisher(Empty) 13241300x800000000000000063213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.410{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgfmt.exe|b876ce85e126a312\LowerCaseLongPathc:\program files\git\usr\bin\msgfmt.exe 13241300x800000000000000063212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.410{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\BinProductVersion(Empty) 13241300x800000000000000063211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.410{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\LinkDate01/01/1970 00:00:00 13241300x800000000000000063210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.410{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\Publisher(Empty) 13241300x800000000000000063209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.410{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgfilter.exe|aaac2b93f137f1ae\LowerCaseLongPathc:\program files\git\usr\bin\msgfilter.exe 13241300x800000000000000063208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.410{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\BinProductVersion(Empty) 13241300x800000000000000063207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.410{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\LinkDate01/01/1970 00:00:01 13241300x800000000000000063206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.410{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\Publisher(Empty) 13241300x800000000000000063205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.409{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgexec.exe|9c976ab4ff6e1c54\LowerCaseLongPathc:\program files\git\usr\bin\msgexec.exe 13241300x800000000000000063204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.409{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\BinProductVersion(Empty) 13241300x800000000000000063203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.409{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\LinkDate06/19/2025 15:30:53 13241300x800000000000000063202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.409{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\Publisher(Empty) 13241300x800000000000000063201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.409{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgen.exe|da6af5ac56e9716\LowerCaseLongPathc:\program files\git\usr\bin\msgen.exe 13241300x800000000000000063200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.409{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\BinProductVersion(Empty) 13241300x800000000000000063199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.409{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\LinkDate06/19/2025 15:30:53 13241300x800000000000000063198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.409{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\Publisher(Empty) 13241300x800000000000000063197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.409{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgconv.exe|be24512a01e4ec35\LowerCaseLongPathc:\program files\git\usr\bin\msgconv.exe 13241300x800000000000000063196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.409{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\BinProductVersion(Empty) 13241300x800000000000000063195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\LinkDate06/19/2025 15:30:53 13241300x800000000000000063194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\Publisher(Empty) 13241300x800000000000000063193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcomm.exe|6ef471fb1825a1cd\LowerCaseLongPathc:\program files\git\usr\bin\msgcomm.exe 13241300x800000000000000063192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\BinProductVersion(Empty) 13241300x800000000000000063191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\LinkDate05/08/2031 18:06:26 13241300x800000000000000063190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\Publisher(Empty) 13241300x800000000000000063189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcmp.exe|7c2e229e6e1c68a8\LowerCaseLongPathc:\program files\git\usr\bin\msgcmp.exe 13241300x800000000000000063188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\BinProductVersion(Empty) 13241300x800000000000000063187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\LinkDate01/01/1970 00:00:01 13241300x800000000000000063186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\Publisher(Empty) 13241300x800000000000000063185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.408{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgcat.exe|5596b37e57e3e044\LowerCaseLongPathc:\program files\git\usr\bin\msgcat.exe 13241300x800000000000000063184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\BinProductVersion(Empty) 13241300x800000000000000063183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\LinkDate01/01/1970 00:00:01 13241300x800000000000000063182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\Publisher(Empty) 13241300x800000000000000063181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msgattrib.exe|ef0e87f6c6fba86f\LowerCaseLongPathc:\program files\git\usr\bin\msgattrib.exe 13241300x800000000000000063180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\BinProductVersion(Empty) 13241300x800000000000000063179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\LinkDate01/01/1970 00:00:00 13241300x800000000000000063178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\Publisher(Empty) 13241300x800000000000000063177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mpicalc.exe|f96ca699905a957b\LowerCaseLongPathc:\program files\git\usr\bin\mpicalc.exe 13241300x800000000000000063176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\BinProductVersion(Empty) 13241300x800000000000000063175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\LinkDate03/26/2021 22:24:40 13241300x800000000000000063174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\Publisher(Empty) 13241300x800000000000000063173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mount.exe|9be5c50fa3ad3871\LowerCaseLongPathc:\program files\git\usr\bin\mount.exe 13241300x800000000000000063172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.407{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\BinProductVersion(Empty) 13241300x800000000000000063171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\LinkDate01/01/1970 00:00:00 13241300x800000000000000063170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\Publisher(Empty) 13241300x800000000000000063169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mktemp.exe|f571057b3b322073\LowerCaseLongPathc:\program files\git\usr\bin\mktemp.exe 13241300x800000000000000063168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\BinProductVersion(Empty) 13241300x800000000000000063167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\LinkDate03/26/2021 22:24:40 13241300x800000000000000063166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\Publisher(Empty) 13241300x800000000000000063165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkpasswd.exe|73ea587603f838db\LowerCaseLongPathc:\program files\git\usr\bin\mkpasswd.exe 13241300x800000000000000063164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\BinProductVersion(Empty) 13241300x800000000000000063163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\LinkDate01/01/1970 00:00:00 13241300x800000000000000063162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\Publisher(Empty) 13241300x800000000000000063161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.406{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mknod.exe|1c9cc79f3ba29852\LowerCaseLongPathc:\program files\git\usr\bin\mknod.exe 13241300x800000000000000063160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.405{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\BinProductVersion(Empty) 13241300x800000000000000063159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.405{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\LinkDate03/26/2021 22:24:40 13241300x800000000000000063158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.405{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mkgroup.exe|b0fed08db39d16e4\Publisher(Empty) 23542300x800000000000000028916Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:18.218{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62FA8344C07728A4169114A685951FC1,SHA256=4C2DEDADB2FCA55747E8A4E77A1647FC65D645B30069B3FDAA0FC84830885B9A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000064077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.084{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lync99.exe|11bf44393ed6256a\LowerCaseLongPathc:\program files\microsoft office\root\office16\lync99.exe 13241300x800000000000000064076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.083{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lync.exe|2fa06986cf265aad\BinProductVersion16.0.13127.21668 13241300x800000000000000064075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.083{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lync.exe|2fa06986cf265aad\LinkDate06/05/2021 06:12:31 13241300x800000000000000064074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.083{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lync.exe|2fa06986cf265aad\Publishermicrosoft corporation 13241300x800000000000000064073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.083{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lync.exe|2fa06986cf265aad\LowerCaseLongPathc:\program files\microsoft office\root\office16\lync.exe 13241300x800000000000000064072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.083{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\joticon.exe|fbcbe724436d069f\BinProductVersion16.0.13127.21668 13241300x800000000000000064071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.083{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\joticon.exe|fbcbe724436d069f\LinkDate06/05/2021 06:29:54 13241300x800000000000000064070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.083{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\joticon.exe|fbcbe724436d069f\Publishermicrosoft corporation 13241300x800000000000000064069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.083{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\joticon.exe|fbcbe724436d069f\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\joticon.exe 13241300x800000000000000064068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.082{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\BinProductVersion16.0.13127.21668 13241300x800000000000000064067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.082{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\LinkDate06/05/2021 06:03:12 13241300x800000000000000064066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.082{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\Publishermicrosoft corporation 13241300x800000000000000064065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.082{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\LowerCaseLongPathc:\program files\microsoft office\root\integration\integrator.exe 13241300x800000000000000064064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.082{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\iecontentservice|f42fbf118c5a773\BinProductVersion16.0.13127.21668 13241300x800000000000000064063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.082{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\iecontentservice|f42fbf118c5a773\LinkDate06/05/2021 06:13:28 13241300x800000000000000064062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.082{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\iecontentservice|f42fbf118c5a773\Publishermicrosoft corporation 13241300x800000000000000064061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.082{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\iecontentservice|f42fbf118c5a773\LowerCaseLongPathc:\program files\microsoft office\root\office16\iecontentservice.exe 13241300x800000000000000064060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.082{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grv_icons.exe|d24c93c0e0170bfb\BinProductVersion16.0.13127.21668 13241300x800000000000000064059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.081{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grv_icons.exe|d24c93c0e0170bfb\LinkDate06/05/2021 06:29:55 13241300x800000000000000064058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.081{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grv_icons.exe|d24c93c0e0170bfb\Publishermicrosoft corporation 13241300x800000000000000064057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.081{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\grv_icons.exe|d24c93c0e0170bfb\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\grv_icons.exe 13241300x800000000000000064056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.081{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\graph.exe|9e2331c7d66bcaeb\BinProductVersion16.0.13127.21668 13241300x800000000000000064055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.081{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\graph.exe|9e2331c7d66bcaeb\LinkDate06/05/2021 06:17:36 13241300x800000000000000064054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.081{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\graph.exe|9e2331c7d66bcaeb\Publishermicrosoft corporation 13241300x800000000000000064053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.081{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\graph.exe|9e2331c7d66bcaeb\LowerCaseLongPathc:\program files\microsoft office\root\office16\graph.exe 13241300x800000000000000064052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.080{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fltldr.exe|3fca25c5b23cb198\BinProductVersion16.0.13127.21668 13241300x800000000000000064051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.080{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fltldr.exe|3fca25c5b23cb198\LinkDate06/05/2021 06:15:39 13241300x800000000000000064050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.080{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fltldr.exe|3fca25c5b23cb198\Publishermicrosoft corporation 13241300x800000000000000064049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.080{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\fltldr.exe|3fca25c5b23cb198\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\fltldr.exe 13241300x800000000000000064048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.080{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\filecompare.exe|eb3b84e79f3ffde4\BinProductVersion16.0.13127.20144 13241300x800000000000000064047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.080{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\filecompare.exe|eb3b84e79f3ffde4\LinkDate08/07/2020 09:18:11 13241300x800000000000000064046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.080{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\filecompare.exe|eb3b84e79f3ffde4\Publishermicrosoft corporation 13241300x800000000000000064045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.080{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\filecompare.exe|eb3b84e79f3ffde4\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\filecompare.exe 13241300x800000000000000064044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.079{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\excelcnv.exe|f227d29286aef5b1\BinProductVersion16.0.13127.21668 13241300x800000000000000064043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.079{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\excelcnv.exe|f227d29286aef5b1\LinkDate06/05/2021 06:16:10 13241300x800000000000000064042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.079{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\excelcnv.exe|f227d29286aef5b1\Publishermicrosoft corporation 13241300x800000000000000064041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.079{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\excelcnv.exe|f227d29286aef5b1\LowerCaseLongPathc:\program files\microsoft office\root\office16\excelcnv.exe 13241300x800000000000000064040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.079{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\excel.exe|39225495ceb51fb7\BinProductVersion16.0.13127.21668 13241300x800000000000000064039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.079{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\excel.exe|39225495ceb51fb7\LinkDate06/05/2021 06:29:27 13241300x800000000000000064038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.079{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\excel.exe|39225495ceb51fb7\Publishermicrosoft corporation 13241300x800000000000000064037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.079{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\excel.exe|39225495ceb51fb7\LowerCaseLongPathc:\program files\microsoft office\root\office16\excel.exe 13241300x800000000000000064036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.078{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dwtrig20.exe|59e3570877b6a7b6\BinProductVersion16.0.13127.21668 13241300x800000000000000064035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.078{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dwtrig20.exe|59e3570877b6a7b6\LinkDate06/05/2021 06:21:12 13241300x800000000000000064034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.078{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dwtrig20.exe|59e3570877b6a7b6\Publishermicrosoft corporation 13241300x800000000000000064033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.078{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dwtrig20.exe|59e3570877b6a7b6\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\dw\dwtrig20.exe 13241300x800000000000000064032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.078{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dw20.exe|12b87ce673fee545\BinProductVersion16.0.13127.21668 13241300x800000000000000064031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.078{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dw20.exe|12b87ce673fee545\LinkDate06/05/2021 06:20:34 13241300x800000000000000064030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.077{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dw20.exe|12b87ce673fee545\Publishermicrosoft corporation 13241300x800000000000000064029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.077{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dw20.exe|12b87ce673fee545\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\dw\dw20.exe 13241300x800000000000000064028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.077{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dbcicons.exe|8bf455c5b37991bd\BinProductVersion16.0.13127.21668 13241300x800000000000000064027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.077{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dbcicons.exe|8bf455c5b37991bd\LinkDate06/05/2021 06:29:55 13241300x800000000000000064026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.077{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dbcicons.exe|8bf455c5b37991bd\Publishermicrosoft corporation 13241300x800000000000000064025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.077{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dbcicons.exe|8bf455c5b37991bd\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\dbcicons.exe 13241300x800000000000000064024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.077{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\databasecompare.|d0717b3f5b185152\BinProductVersion16.0.11929.20112 13241300x800000000000000064023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.077{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\databasecompare.|d0717b3f5b185152\LinkDate08/10/2019 04:45:30 13241300x800000000000000064022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.076{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\databasecompare.|d0717b3f5b185152\Publishermicrosoft corporation 13241300x800000000000000064021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.076{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\databasecompare.|d0717b3f5b185152\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\databasecompare.exe 13241300x800000000000000064020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.076{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.showhelp.|aeead2886fb6295a\BinProductVersion16.0.13127.20164 13241300x800000000000000064019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.076{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.showhelp.|aeead2886fb6295a\LinkDate08/10/2020 01:30:47 13241300x800000000000000064018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.076{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.showhelp.|aeead2886fb6295a\Publishermicrosoft corporation 13241300x800000000000000064017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.076{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.showhelp.|aeead2886fb6295a\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\common.showhelp.exe 13241300x800000000000000064016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.076{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.dbconnect|8e5b8f8cae900bd\BinProductVersion16.0.11929.20102 13241300x800000000000000064015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.076{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.dbconnect|8e5b8f8cae900bd\LinkDate08/08/2019 15:45:13 13241300x800000000000000064014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.076{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.dbconnect|8e5b8f8cae900bd\Publishermicrosoft corporation 13241300x800000000000000064013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.076{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.dbconnect|8e5b8f8cae900bd\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\common.dbconnection64.exe 13241300x800000000000000064012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.075{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.dbconnect|4bf898c15eaab915\BinProductVersion16.0.11929.20102 13241300x800000000000000064011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.075{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.dbconnect|4bf898c15eaab915\LinkDate08/08/2019 15:45:13 13241300x800000000000000064010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.075{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.dbconnect|4bf898c15eaab915\Publishermicrosoft corporation 13241300x800000000000000064009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.075{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\common.dbconnect|4bf898c15eaab915\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\common.dbconnection.exe 13241300x800000000000000064008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.075{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cnfnot32.exe|d12e39d78b8f7f17\BinProductVersion16.0.13127.21668 13241300x800000000000000064007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.075{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cnfnot32.exe|d12e39d78b8f7f17\LinkDate06/05/2021 06:16:37 13241300x800000000000000064006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.075{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cnfnot32.exe|d12e39d78b8f7f17\Publishermicrosoft corporation 13241300x800000000000000064005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.075{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\cnfnot32.exe|d12e39d78b8f7f17\LowerCaseLongPathc:\program files\microsoft office\root\office16\cnfnot32.exe 13241300x800000000000000064004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.074{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\clview.exe|2e549e1ffb2d5a44\BinProductVersion16.0.13127.21668 13241300x800000000000000064003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.074{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\clview.exe|2e549e1ffb2d5a44\LinkDate06/05/2021 06:21:38 13241300x800000000000000064002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.074{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\clview.exe|2e549e1ffb2d5a44\Publishermicrosoft corporation 13241300x800000000000000064001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.074{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\clview.exe|2e549e1ffb2d5a44\LowerCaseLongPathc:\program files\microsoft office\root\office16\clview.exe 13241300x800000000000000064000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.074{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvlp.exe|5c890c66f7320a9b\BinProductVersion5.2.158.0 13241300x800000000000000063999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.074{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvlp.exe|5c890c66f7320a9b\LinkDate04/09/2020 03:00:39 13241300x800000000000000063998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.074{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvlp.exe|5c890c66f7320a9b\Publishermicrosoft corporation 13241300x800000000000000063997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.074{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvlp.exe|5c890c66f7320a9b\LowerCaseLongPathc:\program files\microsoft office\root\client\appvlp.exe 13241300x800000000000000063996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.074{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvdllsurrogate|dc36ed799a92e521\BinProductVersion5.1.154.0 13241300x800000000000000063995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.074{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvdllsurrogate|dc36ed799a92e521\LinkDate10/14/2019 18:26:31 13241300x800000000000000063994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.073{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvdllsurrogate|dc36ed799a92e521\Publishermicrosoft corporation 13241300x800000000000000063993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.073{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvdllsurrogate|dc36ed799a92e521\LowerCaseLongPathc:\program files\microsoft office\root\client\appvdllsurrogate32.exe 13241300x800000000000000063992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.073{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvdllsurrogate|4a3dbcbfcf815bda\BinProductVersion5.1.125.0 13241300x800000000000000063991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.073{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvdllsurrogate|4a3dbcbfcf815bda\LinkDate05/15/2017 21:34:56 13241300x800000000000000063990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.073{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvdllsurrogate|4a3dbcbfcf815bda\Publishermicrosoft corporation 13241300x800000000000000063989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.073{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appvdllsurrogate|4a3dbcbfcf815bda\LowerCaseLongPathc:\program files\microsoft office\root\client\appvdllsurrogate64.exe 13241300x800000000000000063988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.073{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appsharinghookco|ca17c1da2ae73545\BinProductVersion16.0.13127.20164 13241300x800000000000000063987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.072{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appsharinghookco|ca17c1da2ae73545\LinkDate08/10/2020 00:47:27 13241300x800000000000000063986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.072{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appsharinghookco|ca17c1da2ae73545\Publishermicrosoft corporation 13241300x800000000000000063985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.072{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appsharinghookco|ca17c1da2ae73545\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\appsharinghookcontroller.exe 13241300x800000000000000063984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.072{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appsharinghookco|c43916d5d05bf0ab\BinProductVersion16.0.13127.20164 13241300x800000000000000063983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.072{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appsharinghookco|c43916d5d05bf0ab\LinkDate08/10/2020 01:34:28 13241300x800000000000000063982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.072{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appsharinghookco|c43916d5d05bf0ab\Publishermicrosoft corporation 13241300x800000000000000063981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.072{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\appsharinghookco|c43916d5d05bf0ab\LowerCaseLongPathc:\program files\microsoft office\root\office16\appsharinghookcontroller64.exe 13241300x800000000000000063980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.072{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\accicons.exe|b4fb926f9d8f82ed\BinProductVersion16.0.13127.21668 13241300x800000000000000063979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.072{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\accicons.exe|b4fb926f9d8f82ed\LinkDate06/05/2021 06:29:55 13241300x800000000000000063978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.072{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\accicons.exe|b4fb926f9d8f82ed\Publishermicrosoft corporation 13241300x800000000000000063977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.071{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\accicons.exe|b4fb926f9d8f82ed\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\accicons.exe 13241300x800000000000000063976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.071{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\accicons.exe|b0fb91e640fd7b1d\BinProductVersion16.0.11727.20086 13241300x800000000000000063975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.071{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\accicons.exe|b0fb91e640fd7b1d\LinkDate06/06/2019 21:22:15 13241300x800000000000000063974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.071{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\accicons.exe|b0fb91e640fd7b1d\Publishermicrosoft corporation 13241300x800000000000000063973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.071{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\accicons.exe|b0fb91e640fd7b1d\LowerCaseLongPathc:\program files\microsoft office\root\office16\accicons.exe 13241300x800000000000000063972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.070{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00006d064409f1c2b23a89534f8e719aff170000ffff\PublisherMicrosoft Corporation 10341000x800000000000000063971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.062{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BD-60F5-F50A-00000000E501}7892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.050{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57BD-60F5-F50A-00000000E501}7892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000063969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.050{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BD-60F5-F50A-00000000E501}7892C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.000{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BC-60F5-F40A-00000000E501}4972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.988{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57BC-60F5-F40A-00000000E501}4972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000063966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.987{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BC-60F5-F40A-00000000E501}4972C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.906{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BC-60F5-F30A-00000000E501}6316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.893{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57BC-60F5-F30A-00000000E501}6316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000063963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.892{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BC-60F5-F30A-00000000E501}6316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.845{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BC-60F5-F20A-00000000E501}6184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.830{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57BC-60F5-F20A-00000000E501}6184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000063960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.830{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BC-60F5-F20A-00000000E501}6184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000063959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:16.787{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exeHKLM\System\CurrentControlSet\Services\EventLog\Application\MicrosoftSearchInBing\EventMessageFileC:\Windows\Microsoft.NET\Framework\v4.0.30319\EventLogMessages.dll 10341000x800000000000000063958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.665{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BC-60F5-F10A-00000000E501}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.653{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BC-60F5-F10A-00000000E501}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000063956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.652{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.599{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BC-60F5-F00A-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.586{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BC-60F5-F00A-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000063953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.586{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BC-60F5-F00A-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000063952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:16.568{43EB4363-37A4-60F5-0A00-00000000E501}6082808C:\Windows\system32\services.exe{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000063951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.559{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\BinProductVersion8.1.2.0 13241300x800000000000000063950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.559{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\LinkDate12/15/2018 22:24:36 13241300x800000000000000063949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.558{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\Publisherdon ho don.h@free.fr 13241300x800000000000000063948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.558{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|bd4762a4deb0ebdc\LowerCaseLongPathc:\program files\notepad++\uninstall.exe 13241300x800000000000000063947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.558{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\BinProductVersion8.1.2.0 13241300x800000000000000063946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.558{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LinkDate07/16/2021 00:01:57 13241300x800000000000000063945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.558{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\Publisherdon ho don.h@free.fr 13241300x800000000000000063944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.558{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LowerCaseLongPathc:\program files\notepad++\notepad++.exe 13241300x800000000000000063943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.558{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\BinProductVersion5.2.0.0 13241300x800000000000000063942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.558{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\LinkDate05/17/2021 17:20:17 13241300x800000000000000063941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.558{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\Publisherdon ho don.h@free.fr 13241300x800000000000000063940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.557{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\gup.exe|eaab466dc417ed01\LowerCaseLongPathc:\program files\notepad++\updater\gup.exe 13241300x800000000000000063939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.557{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00009cb25075b3cf85fcd5427a445260b1290000ffff\PublisherNotepad++ Team 13241300x800000000000000063938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.544{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\BinProductVersion1.0.0.0 13241300x800000000000000063937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.544{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\LinkDate12/11/2016 21:50:55 13241300x800000000000000063936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.544{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\Publishermozilla corporation 13241300x800000000000000063935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.544{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstall.exe|c3a2a248a1867c34\LowerCaseLongPathc:\program files (x86)\mozilla maintenance service\uninstall.exe 13241300x800000000000000063934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.544{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\BinProductVersion89.0.2.7843 13241300x800000000000000063933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.544{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\LinkDate06/22/2021 17:42:57 13241300x800000000000000063932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.544{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\Publishermozilla foundation 13241300x800000000000000063931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.544{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|f537de1e8599ad9d\LowerCaseLongPathc:\program files (x86)\mozilla maintenance service\maintenanceservice.exe 13241300x800000000000000063930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.543{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\0000ed93e87382d3daa2ac568a845d9f27d10000ffff\PublisherMozilla 13241300x800000000000000063929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.538{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\BinProductVersion89.0.2.7843 13241300x800000000000000063928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.538{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\LinkDate06/22/2021 17:43:01 13241300x800000000000000063927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.538{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\Publishermozilla foundation 13241300x800000000000000063926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.538{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\updater.exe|c1b2e9c223e636df\LowerCaseLongPathc:\program files\mozilla firefox\updater.exe 13241300x800000000000000063925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.538{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\BinProductVersion89.0.2.0 13241300x800000000000000063924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.538{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\LinkDate06/22/2021 17:51:21 13241300x800000000000000063923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.538{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\Publishermozilla corporation 13241300x800000000000000063922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.538{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\plugin-container|bff6e47ff7f94db5\LowerCaseLongPathc:\program files\mozilla firefox\plugin-container.exe 13241300x800000000000000063921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.538{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\BinProductVersion89.0.2.7843 13241300x800000000000000063920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.538{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\LinkDate06/22/2021 17:42:59 13241300x800000000000000063919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.537{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\Publishermozilla foundation 13241300x800000000000000063918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.537{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pingsender.exe|aaf23943349d4957\LowerCaseLongPathc:\program files\mozilla firefox\pingsender.exe 13241300x800000000000000063917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.537{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\BinProductVersion89.0.2.7843 13241300x800000000000000063916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.537{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\LinkDate06/22/2021 17:43:00 13241300x800000000000000063915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.537{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\Publishermozilla foundation 13241300x800000000000000063914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.537{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\minidump-analyze|c30fa22ff3f6a149\LowerCaseLongPathc:\program files\mozilla firefox\minidump-analyzer.exe 13241300x800000000000000063913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.537{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\BinProductVersion1.0.0.0 13241300x800000000000000063912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.537{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\LinkDate12/11/2016 21:50:55 13241300x800000000000000063911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.537{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\Publishermozilla corporation 13241300x800000000000000063910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.536{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|a02830353e4ef7f\LowerCaseLongPathc:\program files\mozilla firefox\maintenanceservice_installer.exe 13241300x800000000000000063909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.536{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\BinProductVersion89.0.2.7843 13241300x800000000000000063908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.536{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\LinkDate06/22/2021 17:42:57 13241300x800000000000000063907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.536{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\Publishermozilla foundation 13241300x800000000000000063906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.536{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\maintenanceservi|97180995320ca115\LowerCaseLongPathc:\program files\mozilla firefox\maintenanceservice.exe 13241300x800000000000000063905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.536{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\BinProductVersion1.0.0.0 13241300x800000000000000063904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.536{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\LinkDate12/11/2016 21:50:55 13241300x800000000000000063903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.536{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\Publishermozilla corporation 13241300x800000000000000063902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.536{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\helper.exe|e5fe7566efc548ac\LowerCaseLongPathc:\program files\mozilla firefox\uninstall\helper.exe 13241300x800000000000000063901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.535{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\BinProductVersion89.0.2.0 13241300x800000000000000063900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.535{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\LinkDate06/22/2021 17:42:49 13241300x800000000000000063899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.535{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\Publishermozilla corporation 13241300x800000000000000063898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.535{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\firefox.exe|ebd16581180f4552\LowerCaseLongPathc:\program files\mozilla firefox\firefox.exe 13241300x800000000000000063897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.535{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\BinProductVersion89.0.2.7843 13241300x800000000000000063896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.535{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\LinkDate06/22/2021 17:44:50 13241300x800000000000000063895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.535{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\Publishermozilla foundation 13241300x800000000000000063894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.535{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\default-browser-|dc77861eecd2248\LowerCaseLongPathc:\program files\mozilla firefox\default-browser-agent.exe 13241300x800000000000000063893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.535{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\BinProductVersion89.0.2.7843 13241300x800000000000000063892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.534{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\LinkDate06/22/2021 17:43:34 13241300x800000000000000063891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.534{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\Publishermozilla foundation 13241300x800000000000000063890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.534{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\crashreporter.ex|63c55d3d1009672b\LowerCaseLongPathc:\program files\mozilla firefox\crashreporter.exe 13241300x800000000000000063889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.534{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\0000429918e89ac24009d6ef492ecda140d30000ffff\PublisherMozilla 13241300x800000000000000063888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.483{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\BinProductVersion(Empty) 13241300x800000000000000063887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.483{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\LinkDate01/01/1970 00:00:00 13241300x800000000000000063886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.482{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\Publisher(Empty) 13241300x800000000000000063885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.482{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ziptool.exe|7269435f129e6e01\LowerCaseLongPathc:\program files\git\mingw64\bin\ziptool.exe 13241300x800000000000000063884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.482{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\BinProductVersion(Empty) 13241300x800000000000000063883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.482{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\LinkDate01/01/1970 00:00:00 13241300x800000000000000063882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.482{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\Publisher(Empty) 13241300x800000000000000063881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.482{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipmerge.exe|13ce9e43b33787b4\LowerCaseLongPathc:\program files\git\mingw64\bin\zipmerge.exe 13241300x800000000000000063880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.482{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\BinProductVersion(Empty) 13241300x800000000000000063879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.482{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\LinkDate05/08/2031 18:06:26 13241300x800000000000000063878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.482{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\Publisher(Empty) 13241300x800000000000000063877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.482{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipinfo.exe|221fb78378e3082e\LowerCaseLongPathc:\program files\git\usr\bin\zipinfo.exe 13241300x800000000000000063876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.481{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\BinProductVersion(Empty) 13241300x800000000000000063875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.481{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\LinkDate01/01/1970 00:00:00 13241300x800000000000000063874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.481{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\Publisher(Empty) 13241300x800000000000000063873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.481{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\zipcmp.exe|72e4c18935f10855\LowerCaseLongPathc:\program files\git\mingw64\bin\zipcmp.exe 13241300x800000000000000063872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.481{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\BinProductVersion(Empty) 13241300x800000000000000063871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.481{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\LinkDate01/01/1970 00:00:00 13241300x800000000000000063870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.481{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\Publisher(Empty) 13241300x800000000000000063869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.481{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\yes.exe|101013f8ea4cecdc\LowerCaseLongPathc:\program files\git\usr\bin\yes.exe 13241300x800000000000000063868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.481{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\BinProductVersion(Empty) 13241300x800000000000000063867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\LinkDate01/01/1970 00:00:00 13241300x800000000000000063866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\Publisher(Empty) 13241300x800000000000000063865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\yat2m.exe|e602d782765213bc\LowerCaseLongPathc:\program files\git\usr\bin\yat2m.exe 13241300x800000000000000063864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\BinProductVersion5.2.5.0 13241300x800000000000000063863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\LinkDate01/01/1970 00:00:00 13241300x800000000000000063862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000063861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xzdec.exe|aa41a1b6191a17c5\LowerCaseLongPathc:\program files\git\mingw64\bin\xzdec.exe 13241300x800000000000000063860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\BinProductVersion5.2.5.0 13241300x800000000000000063859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\LinkDate01/01/1970 00:00:00 13241300x800000000000000063858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000063857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xzcat.exe|6c454d521625ef75\LowerCaseLongPathc:\program files\git\mingw64\bin\xzcat.exe 13241300x800000000000000063856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.480{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\BinProductVersion5.2.5.0 13241300x800000000000000063855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\LinkDate01/01/1970 00:00:00 13241300x800000000000000063854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000063853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xz.exe|f5dd0ac934ca84a7\LowerCaseLongPathc:\program files\git\mingw64\bin\xz.exe 13241300x800000000000000063852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\BinProductVersion(Empty) 13241300x800000000000000063851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\LinkDate01/01/1970 00:00:00 13241300x800000000000000063850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\Publisher(Empty) 13241300x800000000000000063849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xxd.exe|ec817b4721384459\LowerCaseLongPathc:\program files\git\usr\bin\xxd.exe 13241300x800000000000000063848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\BinProductVersion(Empty) 13241300x800000000000000063847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\Publisher(Empty) 13241300x800000000000000063845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmlwf.exe|db82f10a63bc087f\LowerCaseLongPathc:\program files\git\mingw64\bin\xmlwf.exe 13241300x800000000000000063844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmllint.exe|4edab855de35972b\BinProductVersion(Empty) 13241300x800000000000000063843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.479{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmllint.exe|4edab855de35972b\LinkDate01/01/1970 00:00:00 13241300x800000000000000063842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmllint.exe|4edab855de35972b\Publisher(Empty) 13241300x800000000000000063841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmllint.exe|4edab855de35972b\LowerCaseLongPathc:\program files\git\mingw64\bin\xmllint.exe 13241300x800000000000000063840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmlcatalog.exe|ad3a3f621c028adc\BinProductVersion(Empty) 13241300x800000000000000063839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmlcatalog.exe|ad3a3f621c028adc\LinkDate01/01/1970 00:00:00 13241300x800000000000000063838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmlcatalog.exe|ad3a3f621c028adc\Publisher(Empty) 13241300x800000000000000063837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xmlcatalog.exe|ad3a3f621c028adc\LowerCaseLongPathc:\program files\git\mingw64\bin\xmlcatalog.exe 13241300x800000000000000063836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\BinProductVersion(Empty) 13241300x800000000000000063835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\LinkDate07/19/2029 06:51:46 13241300x800000000000000063834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\Publisher(Empty) 13241300x800000000000000063833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xgettext.exe|d70e9fbf1e3251f9\LowerCaseLongPathc:\program files\git\usr\bin\xgettext.exe 13241300x800000000000000063832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\BinProductVersion(Empty) 13241300x800000000000000063831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.478{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\LinkDate01/01/1970 00:00:00 13241300x800000000000000063830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\Publisher(Empty) 13241300x800000000000000063829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xargs.exe|b26b4866fba2ace6\LowerCaseLongPathc:\program files\git\usr\bin\xargs.exe 13241300x800000000000000063828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\BinProductVersion(Empty) 13241300x800000000000000063827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\LinkDate01/01/1970 00:00:00 13241300x800000000000000063826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\Publisher(Empty) 13241300x800000000000000063825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|dda5875a0a94e702\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-deflatehd.exe 13241300x800000000000000063824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\BinProductVersion(Empty) 13241300x800000000000000063823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\Publisher(Empty) 13241300x800000000000000063821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|d480e6241e2b429f\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-inflatehd.exe 13241300x800000000000000063820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\BinProductVersion(Empty) 13241300x800000000000000063819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.477{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\LinkDate01/01/1970 00:00:00 13241300x800000000000000063818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.476{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\Publisher(Empty) 13241300x800000000000000063817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.476{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\x86_64-w64-mingw|721349a4c3d19334\LowerCaseLongPathc:\program files\git\mingw64\bin\x86_64-w64-mingw32-agrep.exe 13241300x800000000000000063816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.476{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\BinProductVersion8.6.2.11 13241300x800000000000000063815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.476{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\LinkDate01/01/1970 00:00:00 13241300x800000000000000063814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.476{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\Publisheractivestate corporation 13241300x800000000000000063813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.476{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wish86.exe|b43e477f47c04c0d\LowerCaseLongPathc:\program files\git\mingw64\bin\wish86.exe 13241300x800000000000000063812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.476{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\BinProductVersion8.6.2.11 13241300x800000000000000063811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.476{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\LinkDate01/01/1970 00:00:00 13241300x800000000000000063810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.476{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\Publisheractivestate corporation 13241300x800000000000000063809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.476{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wish.exe|387f467bcbc945b9\LowerCaseLongPathc:\program files\git\mingw64\bin\wish.exe 13241300x800000000000000063808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.475{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\BinProductVersion(Empty) 13241300x800000000000000063807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.475{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\LinkDate11/17/2017 22:11:01 13241300x800000000000000063806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.475{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\Publisher(Empty) 13241300x800000000000000063805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.475{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wintoast.exe|a56a902040daad41\LowerCaseLongPathc:\program files\git\mingw64\bin\wintoast.exe 13241300x800000000000000063804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.475{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\BinProductVersion(Empty) 13241300x800000000000000063803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.475{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\LinkDate06/19/2025 15:30:53 13241300x800000000000000063802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.474{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\Publisher(Empty) 13241300x800000000000000063801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.474{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty.exe|b62f1084964abfa7\LowerCaseLongPathc:\program files\git\usr\bin\winpty.exe 13241300x800000000000000063800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.474{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\BinProductVersion(Empty) 13241300x800000000000000063799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.474{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\LinkDate05/08/2031 18:06:26 13241300x800000000000000063798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.474{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\Publisher(Empty) 13241300x800000000000000063797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.474{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty-debugserv|fa3a25afb3dba9c5\LowerCaseLongPathc:\program files\git\usr\bin\winpty-debugserver.exe 13241300x800000000000000063796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.474{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\BinProductVersion(Empty) 13241300x800000000000000063795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.474{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\LinkDate05/08/2031 18:06:26 13241300x800000000000000063794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.473{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\Publisher(Empty) 13241300x800000000000000063793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.473{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winpty-agent.exe|f42c4e896f998b23\LowerCaseLongPathc:\program files\git\usr\bin\winpty-agent.exe 13241300x800000000000000063792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.473{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\BinProductVersion(Empty) 13241300x800000000000000063791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.473{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\LinkDate01/01/1970 00:00:00 13241300x800000000000000063790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.473{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\Publisher(Empty) 13241300x800000000000000063789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.473{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\whouses.exe|112098ea380b8223\LowerCaseLongPathc:\program files\git\mingw64\bin\whouses.exe 13241300x800000000000000063788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.473{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\BinProductVersion(Empty) 13241300x800000000000000063787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.473{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\LinkDate01/01/1970 00:00:00 13241300x800000000000000063786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.473{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\Publisher(Empty) 13241300x800000000000000063785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.472{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\whoami.exe|db400e84413562a4\LowerCaseLongPathc:\program files\git\usr\bin\whoami.exe 13241300x800000000000000063784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.472{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\BinProductVersion(Empty) 13241300x800000000000000063783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.472{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\LinkDate01/01/1970 00:00:00 13241300x800000000000000063782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.472{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\Publisher(Empty) 13241300x800000000000000063781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.472{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\who.exe|cb672bc7f4c40afb\LowerCaseLongPathc:\program files\git\usr\bin\who.exe 13241300x800000000000000063780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.472{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\BinProductVersion(Empty) 13241300x800000000000000063779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.472{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\LinkDate01/02/1970 12:24:32 13241300x800000000000000063778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.472{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\Publisher(Empty) 13241300x800000000000000063777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.472{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\which.exe|fd8a97b7fcb2af43\LowerCaseLongPathc:\program files\git\usr\bin\which.exe 13241300x800000000000000063776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.471{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\BinProductVersion(Empty) 13241300x800000000000000063775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.471{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\LinkDate01/01/1970 00:00:00 13241300x800000000000000063774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.471{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\Publisher(Empty) 13241300x800000000000000063773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.471{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wc.exe|8047af858fdb6703\LowerCaseLongPathc:\program files\git\usr\bin\wc.exe 13241300x800000000000000063772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.471{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\BinProductVersion(Empty) 13241300x800000000000000063771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.471{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\LinkDate01/01/1970 00:00:00 13241300x800000000000000063770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.471{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\Publisher(Empty) 13241300x800000000000000063769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.471{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\watchgnupg.exe|4fab39cd9f6ffe71\LowerCaseLongPathc:\program files\git\usr\bin\watchgnupg.exe 13241300x800000000000000063768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.470{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\BinProductVersion(Empty) 13241300x800000000000000063767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.470{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\LinkDate01/01/1970 00:00:00 13241300x800000000000000063766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.470{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\Publisher(Empty) 13241300x800000000000000063765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.470{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vimdiff.exe|67340c9152f6152c\LowerCaseLongPathc:\program files\git\usr\bin\vimdiff.exe 13241300x800000000000000063764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.470{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\BinProductVersion(Empty) 13241300x800000000000000063763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.470{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\LinkDate01/01/1970 00:00:00 13241300x800000000000000063762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.470{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\Publisher(Empty) 13241300x800000000000000063761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.470{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vim.exe|43ed39053a824d04\LowerCaseLongPathc:\program files\git\usr\bin\vim.exe 13241300x800000000000000063760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.469{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\BinProductVersion(Empty) 13241300x800000000000000063759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.469{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\LinkDate01/01/1970 00:00:00 13241300x800000000000000063758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.469{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\Publisher(Empty) 13241300x800000000000000063757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.469{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\view.exe|904157a959d595c9\LowerCaseLongPathc:\program files\git\usr\bin\view.exe 13241300x800000000000000063756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.469{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\BinProductVersion(Empty) 13241300x800000000000000063755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.469{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\LinkDate01/01/1970 00:00:00 13241300x800000000000000063754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.469{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\Publisher(Empty) 13241300x800000000000000063753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.469{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vdir.exe|d36f5c65563e728d\LowerCaseLongPathc:\program files\git\usr\bin\vdir.exe 13241300x800000000000000063752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.469{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\BinProductVersion(Empty) 13241300x800000000000000063751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.469{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\LinkDate01/01/1970 00:00:00 13241300x800000000000000063750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.468{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\Publisher(Empty) 13241300x800000000000000063749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.468{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\users.exe|4d383589d66a4050\LowerCaseLongPathc:\program files\git\usr\bin\users.exe 13241300x800000000000000063748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.468{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\BinProductVersion(Empty) 13241300x800000000000000063747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.468{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\LinkDate06/19/2025 15:30:53 13241300x800000000000000063746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.468{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\Publisher(Empty) 13241300x800000000000000063745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.468{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\urlget.exe|b1ac3fe6098df4f3\LowerCaseLongPathc:\program files\git\usr\lib\gettext\urlget.exe 13241300x800000000000000063744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.468{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\BinProductVersion(Empty) 13241300x800000000000000063743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.468{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\LinkDate05/08/2031 18:06:26 13241300x800000000000000063742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.468{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\Publisher(Empty) 13241300x800000000000000063741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.467{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unzipsfx.exe|f11926d1b5caa9e4\LowerCaseLongPathc:\program files\git\usr\bin\unzipsfx.exe 13241300x800000000000000063740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.467{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\BinProductVersion(Empty) 13241300x800000000000000063739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.467{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\LinkDate05/08/2031 18:06:26 13241300x800000000000000063738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.467{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\Publisher(Empty) 13241300x800000000000000063737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.467{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unzip.exe|678f320572a2cac0\LowerCaseLongPathc:\program files\git\usr\bin\unzip.exe 13241300x800000000000000063736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.467{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\BinProductVersion5.2.5.0 13241300x800000000000000063735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.467{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\LinkDate01/01/1970 00:00:00 13241300x800000000000000063734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.467{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\Publisherthe tukaani project <https://tukaani.org/> 13241300x800000000000000063733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.467{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unxz.exe|af430565744d9629\LowerCaseLongPathc:\program files\git\mingw64\bin\unxz.exe 13241300x800000000000000063732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.466{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\BinProductVersion(Empty) 13241300x800000000000000063731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.466{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.466{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\Publisher(Empty) 13241300x800000000000000063729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.466{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unlink.exe|8905006f80ba665e\LowerCaseLongPathc:\program files\git\usr\bin\unlink.exe 13241300x800000000000000063728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.466{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\BinProductVersion(Empty) 13241300x800000000000000063727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.466{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\LinkDate01/01/1970 00:00:00 13241300x800000000000000063726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.466{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\Publisher(Empty) 13241300x800000000000000063725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.466{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unix2mac.exe|ce61a10675030bc2\LowerCaseLongPathc:\program files\git\usr\bin\unix2mac.exe 13241300x800000000000000063724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.465{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\BinProductVersion(Empty) 13241300x800000000000000063723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.465{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\LinkDate01/01/1970 00:00:00 13241300x800000000000000063722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.465{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\Publisher(Empty) 13241300x800000000000000063721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.465{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unix2dos.exe|d30cb63cbe1e2952\LowerCaseLongPathc:\program files\git\usr\bin\unix2dos.exe 13241300x800000000000000063720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.465{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\BinProductVersion(Empty) 13241300x800000000000000063719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.465{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\LinkDate01/01/1970 00:00:00 13241300x800000000000000063718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.465{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\Publisher(Empty) 13241300x800000000000000063717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.465{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uniq.exe|4d8db7f943d46212\LowerCaseLongPathc:\program files\git\usr\bin\uniq.exe 13241300x800000000000000063716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.465{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\BinProductVersion2.32.0.2 13241300x800000000000000063715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.465{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\LinkDate11/15/2020 09:48:32 13241300x800000000000000063714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.464{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\Publisherthe git development community 13241300x800000000000000063713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.464{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unins000.exe|53f54630e98a3bb8\LowerCaseLongPathc:\program files\git\unins000.exe 13241300x800000000000000063712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.464{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\BinProductVersion(Empty) 13241300x800000000000000063711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.464{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\LinkDate01/01/1970 00:00:00 13241300x800000000000000063710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.463{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\Publisher(Empty) 13241300x800000000000000063709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.463{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\unexpand.exe|4aa0be7d58d7a70e\LowerCaseLongPathc:\program files\git\usr\bin\unexpand.exe 13241300x800000000000000063708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.463{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\BinProductVersion(Empty) 13241300x800000000000000063707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.463{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\LinkDate01/01/1970 00:00:00 13241300x800000000000000063706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.463{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\Publisher(Empty) 13241300x800000000000000063705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.463{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uname.exe|aa1eb9eb8d6d257c\LowerCaseLongPathc:\program files\git\usr\bin\uname.exe 13241300x800000000000000063704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.463{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\BinProductVersion(Empty) 13241300x800000000000000063703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.463{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\LinkDate03/26/2021 22:24:41 13241300x800000000000000063702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.463{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\Publisher(Empty) 13241300x800000000000000063701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.462{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\umount.exe|7b6c7cea428daaaa\LowerCaseLongPathc:\program files\git\usr\bin\umount.exe 13241300x800000000000000063700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.462{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\BinProductVersion(Empty) 13241300x800000000000000063699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.462{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\LinkDate01/01/1970 00:00:00 13241300x800000000000000063698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.462{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\Publisher(Empty) 13241300x800000000000000063697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.462{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\u2d.exe|757aee4677b2e42f\LowerCaseLongPathc:\program files\git\usr\bin\u2d.exe 13241300x800000000000000063696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:16.462{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\BinProductVersion(Empty) 13241300x800000000000000063695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:16.462{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\LinkDate03/26/2021 22:24:41 13241300x800000000000000063694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:16.462{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\Publisher(Empty) 13241300x800000000000000063693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:16.462{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\tzset.exe|6044895f1b845eb4\LowerCaseLongPathc:\program files\git\usr\bin\tzset.exe 23542300x800000000000000028917Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:19.453{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C43F11F3F70A1839896CFF2A6A37B0F,SHA256=2F6CF8B53F3E5C5866B27EA0775B2AC3E741EB7A0EF4EFD630097E24C23B99FB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000064588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\Publisherwindows (r) win 7 ddk provider 13241300x800000000000000064587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkmonitornohandledrv.sys 13241300x800000000000000064586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\BinProductVersion10.0.10011.16384 13241300x800000000000000064585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\LinkDate10/02/2019 17:37:08 13241300x800000000000000064584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\Publisherwindows (r) win 7 ddk provider 13241300x800000000000000064583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkdrv.sys|d26d9681615e2fde\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkdrv.sys 13241300x800000000000000064582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\BinProductVersion2048.512.24125.32311 13241300x800000000000000064581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\LinkDate02/07/2020 15:26:19 13241300x800000000000000064580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\Publishersplunk inc. 13241300x800000000000000064579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkd.exe|97fa29633c3fe2cc\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunkd.exe 13241300x800000000000000064578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\BinProductVersion2048.512.24125.32311 13241300x800000000000000064577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\LinkDate02/07/2020 15:13:21 13241300x800000000000000064576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\Publishersplunk inc. 13241300x800000000000000064575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk.exe|a8c4bd649036a5f1\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk.exe 13241300x800000000000000064574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\BinProductVersion2048.512.24125.32311 13241300x800000000000000064573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\LinkDate02/07/2020 15:24:43 13241300x800000000000000064572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.039{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\Publishersplunk inc. 13241300x800000000000000064571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-wmi.exe|fd58174ea9e370c0\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-wmi.exe 13241300x800000000000000064570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\BinProductVersion2048.512.24125.32311 13241300x800000000000000064569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\LinkDate02/07/2020 15:19:24 13241300x800000000000000064568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\Publishersplunk inc. 13241300x800000000000000064567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winprintm|94e5804991a842aa\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winprintmon.exe 13241300x800000000000000064566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\BinProductVersion2048.512.24125.32311 13241300x800000000000000064565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\LinkDate02/07/2020 15:19:16 13241300x800000000000000064564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\Publishersplunk inc. 13241300x800000000000000064563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winhostin|9c2f9c50ce2f578e\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winhostinfo.exe 13241300x800000000000000064562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\BinProductVersion2048.512.24125.32311 13241300x800000000000000064561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\LinkDate02/07/2020 15:18:57 13241300x800000000000000064560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.038{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\Publishersplunk inc. 13241300x800000000000000064559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-winevtlog|d8125e0c86684fca\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-winevtlog.exe 13241300x800000000000000064558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\BinProductVersion2048.512.24125.32311 13241300x800000000000000064557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\LinkDate02/07/2020 15:19:10 13241300x800000000000000064556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\Publishersplunk inc. 13241300x800000000000000064555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-regmon.ex|618812230e4591fb\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-regmon.exe 13241300x800000000000000064554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\BinProductVersion(Empty) 13241300x800000000000000064553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\LinkDate02/07/2020 15:18:45 13241300x800000000000000064552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\Publisher(Empty) 13241300x800000000000000064551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-powershel|2c084771581f2247\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-powershell.exe 13241300x800000000000000064550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\BinProductVersion2048.512.24125.32311 13241300x800000000000000064549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\LinkDate02/07/2020 15:18:45 13241300x800000000000000064548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.037{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\Publishersplunk inc. 13241300x800000000000000064547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-perfmon.e|5179a15d38015aca\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-perfmon.exe 13241300x800000000000000064546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\BinProductVersion2048.512.24125.32311 13241300x800000000000000064545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\LinkDate02/07/2020 15:18:57 13241300x800000000000000064544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\Publishersplunk inc. 13241300x800000000000000064543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-netmon.ex|1a876d8838ded3dd\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-netmon.exe 13241300x800000000000000064542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\BinProductVersion10.0.10011.16384 13241300x800000000000000064541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\LinkDate02/07/2020 15:18:52 13241300x800000000000000064540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\Publisherwindows (r) win 7 ddk provider 13241300x800000000000000064539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-monitorno|903ef6eeb885a45b\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-monitornohandle.exe 13241300x800000000000000064538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\BinProductVersion2048.512.24125.32311 13241300x800000000000000064537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.036{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\LinkDate02/07/2020 15:13:21 13241300x800000000000000064536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\Publishersplunk inc. 13241300x800000000000000064535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-compresst|40738d14a4b5ef86\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-compresstool.exe 13241300x800000000000000064534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\BinProductVersion2048.512.24125.32311 13241300x800000000000000064533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\LinkDate02/07/2020 15:19:19 13241300x800000000000000064532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\Publishersplunk inc. 13241300x800000000000000064531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunk-admon.exe|eab473bd2c77f301\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splunk-admon.exe 13241300x800000000000000064530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\BinProductVersion10.0.10011.16384 13241300x800000000000000064529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\LinkDate09/27/2019 18:25:44 13241300x800000000000000064528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\Publisherwindows (r) win 7 ddk provider 13241300x800000000000000064527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splknetdrv.sys|9d837bc7abc517f\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\splknetdrv.sys 13241300x800000000000000064526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\BinProductVersion(Empty) 13241300x800000000000000064525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.035{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\LinkDate01/10/2020 00:48:57 13241300x800000000000000064524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\Publisher(Empty) 13241300x800000000000000064523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\openssl.exe|fe2747d40e70e115\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\openssl.exe 13241300x800000000000000064522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\BinProductVersion2048.512.24125.32311 13241300x800000000000000064521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\LinkDate02/07/2020 15:13:14 13241300x800000000000000064520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\Publishersplunk inc. 13241300x800000000000000064519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\classify.exe|c62b2c99ddbdcd65\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\classify.exe 13241300x800000000000000064518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\BinProductVersion2048.512.24125.32311 13241300x800000000000000064517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\LinkDate02/07/2020 15:12:56 13241300x800000000000000064516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\Publishersplunk inc. 13241300x800000000000000064515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\btprobe.exe|ca8341d242e7a488\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\btprobe.exe 13241300x800000000000000064514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\BinProductVersion2048.512.24125.32311 13241300x800000000000000064513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.034{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\LinkDate02/07/2020 15:12:56 13241300x800000000000000064512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.033{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\Publishersplunk inc. 13241300x800000000000000064511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.033{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\btool.exe|4e68b21196df7ca2\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\btool.exe 13241300x800000000000000064510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.033{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00006e465eb93b9ef9ed1111015f594f733000000904\PublisherSplunk, Inc. 10341000x800000000000000064509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.998{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BD-60F5-FB0A-00000000E501}4308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.973{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57BD-60F5-FB0A-00000000E501}4308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.973{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BD-60F5-FB0A-00000000E501}4308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000064506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.901{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\0000a32b64966830ad0100b29547ca55110200000904\PublisherAmazon Web Services 13241300x800000000000000064505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.889{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00001ce300114cd699a5ec1dc952222e119100000904\PublisherMicrosoft Corporation 13241300x800000000000000064504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.883{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vstoinstaller.ex|c0ef73c374d5c127\BinProductVersion10.0.60828.0 13241300x800000000000000064503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.883{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vstoinstaller.ex|c0ef73c374d5c127\LinkDate12/22/2017 05:08:07 13241300x800000000000000064502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.883{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vstoinstaller.ex|c0ef73c374d5c127\Publishermicrosoft corporation 13241300x800000000000000064501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.883{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vstoinstaller.ex|c0ef73c374d5c127\LowerCaseLongPathc:\program files\common files\microsoft shared\vsto\10.0\vstoinstaller.exe 13241300x800000000000000064500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.883{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vstoinstaller.ex|4af637e234df85fb\BinProductVersion10.0.60828.0 13241300x800000000000000064499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.883{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vstoinstaller.ex|4af637e234df85fb\LinkDate12/22/2017 05:12:25 13241300x800000000000000064498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.883{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vstoinstaller.ex|4af637e234df85fb\Publishermicrosoft corporation 13241300x800000000000000064497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.883{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vstoinstaller.ex|4af637e234df85fb\LowerCaseLongPathc:\program files (x86)\common files\microsoft shared\vsto\10.0\vstoinstaller.exe 13241300x800000000000000064496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.883{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00001feb129e42f002106264e6dd8e24b68a00000000\PublisherMicrosoft Corporation 13241300x800000000000000064495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.800{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00002663d8da354956d1978535c6575c9f8e00000000\PublisherMicrosoft Corporation 13241300x800000000000000064494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\BinProductVersion8.2.9.8 13241300x800000000000000064493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LinkDate07/08/2020 18:42:42 13241300x800000000000000064492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\Publisheramazon inc. 13241300x800000000000000064491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenvif.sys|cb31ee26ddd80e14\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvif\xenvif.sys 13241300x800000000000000064490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\BinProductVersion8.4.0.11 13241300x800000000000000064489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LinkDate01/12/2021 17:17:37 354300x800000000000000064488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.283{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65122-false52.114.128.71-443https 13241300x800000000000000064487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\Publisheramazon inc. 13241300x800000000000000064486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenvbd.sys|1569d4886cd76c31\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xenvbd.sys 13241300x800000000000000064485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\BinProductVersion8.2.5.32 13241300x800000000000000064484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\LinkDate11/19/2018 22:01:56 13241300x800000000000000064483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\Publisheramazon inc. 13241300x800000000000000064482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xennet.sys|b6a1491527cb2a5f\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xennet\xennet.sys 13241300x800000000000000064481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\BinProductVersion8.2.7.5 13241300x800000000000000064480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\LinkDate12/16/2019 19:58:01 13241300x800000000000000064479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\Publisheramazon inc. 13241300x800000000000000064478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xeniface.sys|79e991f7eda45e8b\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xeniface\xeniface.sys 13241300x800000000000000064477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\BinProductVersion8.3.0.7 13241300x800000000000000064476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\LinkDate02/12/2021 02:15:56 13241300x800000000000000064475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\Publisheramazon inc. 13241300x800000000000000064474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenfilt.sys|5ed52abf02907bc4\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\xenfilt.sys 13241300x800000000000000064473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xendisk.sys|eea975986c3a667d\BinProductVersion8.4.0.11 13241300x800000000000000064472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xendisk.sys|eea975986c3a667d\LinkDate01/12/2021 17:17:43 13241300x800000000000000064471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xendisk.sys|eea975986c3a667d\Publisheramazon inc. 13241300x800000000000000064470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xendisk.sys|eea975986c3a667d\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xendisk.sys 13241300x800000000000000064469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\BinProductVersion8.4.0.11 13241300x800000000000000064468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\LinkDate01/12/2021 17:17:19 13241300x800000000000000064467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\Publisheramazon inc. 13241300x800000000000000064466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xencrsh.sys|b42c374052fc1b77\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\xencrsh.sys 13241300x800000000000000064465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\BinProductVersion8.3.0.7 13241300x800000000000000064464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\LinkDate02/12/2021 02:15:52 13241300x800000000000000064463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\Publisheramazon inc. 13241300x800000000000000064462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xenbus.sys|e7523a385fe94ef1\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\xenbus.sys 13241300x800000000000000064461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\BinProductVersion8.3.0.7 13241300x800000000000000064460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\LinkDate02/12/2021 02:15:39 13241300x800000000000000064459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\Publisheramazon inc. 13241300x800000000000000064458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xen.sys|67bb7edc45be100\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\xen.sys 13241300x800000000000000064457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\BinProductVersion8.2.7.5 13241300x800000000000000064456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\LinkDate12/16/2019 19:58:07 13241300x800000000000000064455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\Publisheramazon inc. 13241300x800000000000000064454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\liteagent.exe|9ddbd66af55387\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xeniface\liteagent.exe 13241300x800000000000000064453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\BinProductVersion2.1.0.0 13241300x800000000000000064452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\LinkDate05/23/2009 10:37:17 13241300x800000000000000064451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\Publishermicrosoft corporation 13241300x800000000000000064450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|e98c683d63883b7\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvif\dpinst.exe 13241300x800000000000000064449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\BinProductVersion2.1.0.0 13241300x800000000000000064448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\LinkDate05/23/2009 10:37:17 13241300x800000000000000064447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\Publishermicrosoft corporation 13241300x800000000000000064446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|d085d8f0649b17ca\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xennet\dpinst.exe 13241300x800000000000000064445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\BinProductVersion2.1.0.0 13241300x800000000000000064444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\LinkDate05/23/2009 10:37:17 13241300x800000000000000064443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\Publishermicrosoft corporation 13241300x800000000000000064442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|c91633581a81cffd\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenbus\dpinst.exe 13241300x800000000000000064441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\BinProductVersion2.1.0.0 13241300x800000000000000064440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.790{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\LinkDate05/23/2009 10:37:17 13241300x800000000000000064439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.780{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\Publishermicrosoft corporation 13241300x800000000000000064438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.780{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|40221a38c568eb82\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xenvbd\dpinst.exe 13241300x800000000000000064437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.780{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\BinProductVersion2.1.0.0 13241300x800000000000000064436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.780{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\LinkDate05/23/2009 10:37:17 13241300x800000000000000064435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.780{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\Publishermicrosoft corporation 13241300x800000000000000064434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.780{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\dpinst.exe|1e846670f76471a8\LowerCaseLongPathc:\program files\amazon\xentools\.drivers\xeniface\dpinst.exe 13241300x800000000000000064433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.780{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\0000ecb9837aa96085e95a514805c6e0a2b900000904\PublisherAmazon Web Services 10341000x800000000000000064432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.590{43EB4363-57BA-60F5-E80A-00000000E501}75525224C:\Windows\SysWOW64\msiexec.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1764d9(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\msi.dll+1bf530(wow64)|C:\Windows\System32\msi.dll+9dd4e(wow64)|C:\Windows\System32\msi.dll+9ef3b(wow64)|C:\Windows\System32\msi.dll+1d3de0(wow64)|C:\Windows\System32\msi.dll+151e39(wow64)|C:\Windows\SysWOW64\msiexec.exe+49d4|C:\Windows\SysWOW64\msiexec.exe+4ed8|C:\Windows\SysWOW64\msiexec.exe+6af7|C:\Windows\SysWOW64\msiexec.exe+7873 10341000x800000000000000064431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.590{43EB4363-57BA-60F5-E80A-00000000E501}75525224C:\Windows\SysWOW64\msiexec.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+17645a(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\msi.dll+1bf530(wow64)|C:\Windows\System32\msi.dll+9dd4e(wow64)|C:\Windows\System32\msi.dll+9ef3b(wow64)|C:\Windows\System32\msi.dll+1d3de0(wow64)|C:\Windows\System32\msi.dll+151e39(wow64)|C:\Windows\SysWOW64\msiexec.exe+49d4|C:\Windows\SysWOW64\msiexec.exe+4ed8|C:\Windows\SysWOW64\msiexec.exe+6af7|C:\Windows\SysWOW64\msiexec.exe+7873 10341000x800000000000000064430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.590{43EB4363-57BA-60F5-E80A-00000000E501}75525224C:\Windows\SysWOW64\msiexec.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\msi.dll+1bf530(wow64)|C:\Windows\System32\msi.dll+9dd4e(wow64)|C:\Windows\System32\msi.dll+9ef3b(wow64)|C:\Windows\System32\msi.dll+1d3de0(wow64)|C:\Windows\System32\msi.dll+151e39(wow64) 10341000x800000000000000064429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.590{43EB4363-57BA-60F5-E80A-00000000E501}75525224C:\Windows\SysWOW64\msiexec.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\msi.dll+1bf530(wow64)|C:\Windows\System32\msi.dll+9dd4e(wow64)|C:\Windows\System32\msi.dll+9ef3b(wow64)|C:\Windows\System32\msi.dll+1d3de0(wow64)|C:\Windows\System32\msi.dll+151e39(wow64)|C:\Windows\SysWOW64\msiexec.exe+49d4 10341000x800000000000000064428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.590{43EB4363-57BA-60F5-E80A-00000000E501}75525224C:\Windows\SysWOW64\msiexec.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\SHELL32.dll+1993c0(wow64)|C:\Windows\System32\SHELL32.dll+17611f(wow64)|C:\Windows\System32\msi.dll+1bf530(wow64)|C:\Windows\System32\msi.dll+9dd4e(wow64)|C:\Windows\System32\msi.dll+9ef3b(wow64)|C:\Windows\System32\msi.dll+1d3de0(wow64)|C:\Windows\System32\msi.dll+151e39(wow64)|C:\Windows\SysWOW64\msiexec.exe+49d4|C:\Windows\SysWOW64\msiexec.exe+4ed8|C:\Windows\SysWOW64\msiexec.exe+6af7 10341000x800000000000000064427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.590{43EB4363-57BA-60F5-E80A-00000000E501}75525224C:\Windows\SysWOW64\msiexec.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+1993b2(wow64)|C:\Windows\System32\SHELL32.dll+17611f(wow64)|C:\Windows\System32\msi.dll+1bf530(wow64)|C:\Windows\System32\msi.dll+9dd4e(wow64)|C:\Windows\System32\msi.dll+9ef3b(wow64)|C:\Windows\System32\msi.dll+1d3de0(wow64)|C:\Windows\System32\msi.dll+151e39(wow64) 10341000x800000000000000064426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.590{43EB4363-57BA-60F5-E80A-00000000E501}75525224C:\Windows\SysWOW64\msiexec.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+1993b2(wow64)|C:\Windows\System32\SHELL32.dll+17611f(wow64)|C:\Windows\System32\msi.dll+1bf530(wow64)|C:\Windows\System32\msi.dll+9dd4e(wow64)|C:\Windows\System32\msi.dll+9ef3b(wow64)|C:\Windows\System32\msi.dll+1d3de0(wow64)|C:\Windows\System32\msi.dll+151e39(wow64)|C:\Windows\SysWOW64\msiexec.exe+49d4 13241300x800000000000000064425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:17.580{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C17F6DEF-D34C-4B75-97E1-D81062408B4A}\URLUpdateInfo(Empty) 13241300x800000000000000064424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.580{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C17F6DEF-D34C-4B75-97E1-D81062408B4A}\PublisherMicrosoft Corporation 13241300x800000000000000064423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:17.580{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exeHKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{C17F6DEF-D34C-4B75-97E1-D81062408B4A}\InstallSourceC:\ProgramData\Microsoft\DefaultPackMSI\ 10341000x800000000000000064422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.570{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BD-60F5-FA0A-00000000E501}2304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.560{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.560{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}2304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.470{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BD-60F5-F90A-00000000E501}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.460{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BD-60F5-F90A-00000000E501}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.450{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.422{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BD-60F5-F80A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.411{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57BD-60F5-F80A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.411{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BD-60F5-F80A-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.227{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BD-60F5-F70A-00000000E501}968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.216{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57BD-60F5-F70A-00000000E501}968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.216{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BD-60F5-F70A-00000000E501}968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000064410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:45:17.201{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\OneDrive.exe2021-07-19 10:45:17.201 10341000x800000000000000064409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-5794-60F5-840A-00000000E501}4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F5-60F5-AC08-00000000E501}1144C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F4-60F5-AB08-00000000E501}6836C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F4-60F5-AA08-00000000E501}5952C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F4-60F5-A908-00000000E501}5940C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.192{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.191{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.191{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.191{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C4-60F5-7F08-00000000E501}2180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.191{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C4-60F5-7C08-00000000E501}3780C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dafb0|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000064393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.184{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.184{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.184{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-5794-60F5-840A-00000000E501}4904C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVShNotify.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.184{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.184{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.184{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F5-60F5-AC08-00000000E501}1144C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.184{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F4-60F5-AB08-00000000E501}6836C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.184{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F4-60F5-AA08-00000000E501}5952C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.184{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F4-60F5-A908-00000000E501}5940C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.183{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F3-60F5-A808-00000000E501}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.183{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.183{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.183{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.183{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.183{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C4-60F5-7F08-00000000E501}2180C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.183{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C4-60F5-7C08-00000000E501}3780C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e156e|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+dab69|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+db081|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+daddf|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+d024b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf729|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba|C:\Windows\SYSTEM32\ntdll.dll+2b644(wow64)|C:\Windows\SYSTEM32\ntdll.dll+34f26(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 13241300x800000000000000064377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.171{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\0000c27c9fa19b318e2f294a4ee09334849d00000904\PublisherMicrosoft Corporation 10341000x800000000000000064376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.164{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BD-60F5-F60A-00000000E501}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.151{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BD-60F5-F60A-00000000E501}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:17.151{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000064373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:45:17.149{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveSetup.exe2021-07-19 10:45:17.148 13241300x800000000000000064372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.115{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xlicons.exe|f1f83fd61f5a2af1\BinProductVersion16.0.13127.21668 13241300x800000000000000064371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.115{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xlicons.exe|f1f83fd61f5a2af1\LinkDate06/05/2021 06:29:56 13241300x800000000000000064370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.115{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xlicons.exe|f1f83fd61f5a2af1\Publishermicrosoft corporation 13241300x800000000000000064369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.115{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xlicons.exe|f1f83fd61f5a2af1\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\xlicons.exe 13241300x800000000000000064368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.114{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xlicons.exe|7d12eeff2e863364\BinProductVersion16.0.11629.20024 13241300x800000000000000064367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.114{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xlicons.exe|7d12eeff2e863364\LinkDate05/03/2019 09:17:52 13241300x800000000000000064366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.114{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xlicons.exe|7d12eeff2e863364\Publishermicrosoft corporation 13241300x800000000000000064365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.114{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\xlicons.exe|7d12eeff2e863364\LowerCaseLongPathc:\program files\microsoft office\root\office16\xlicons.exe 13241300x800000000000000064364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.114{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordicon.exe|78223a0fd1214c54\BinProductVersion16.0.11629.20024 13241300x800000000000000064363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.114{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordicon.exe|78223a0fd1214c54\LinkDate05/03/2019 09:17:50 13241300x800000000000000064362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.114{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordicon.exe|78223a0fd1214c54\Publishermicrosoft corporation 13241300x800000000000000064361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.114{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordicon.exe|78223a0fd1214c54\LowerCaseLongPathc:\program files\microsoft office\root\office16\wordicon.exe 13241300x800000000000000064360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.113{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordicon.exe|444cd0949335bdb3\BinProductVersion16.0.13127.21668 13241300x800000000000000064359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.113{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordicon.exe|444cd0949335bdb3\LinkDate06/05/2021 06:29:55 13241300x800000000000000064358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.113{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordicon.exe|444cd0949335bdb3\Publishermicrosoft corporation 13241300x800000000000000064357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.113{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordicon.exe|444cd0949335bdb3\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\wordicon.exe 13241300x800000000000000064356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.113{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordconv.exe|21b337580489bd1\BinProductVersion16.0.13127.21668 13241300x800000000000000064355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.113{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordconv.exe|21b337580489bd1\LinkDate06/05/2021 06:25:45 13241300x800000000000000064354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.113{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordconv.exe|21b337580489bd1\Publishermicrosoft corporation 13241300x800000000000000064353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.113{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\wordconv.exe|21b337580489bd1\LowerCaseLongPathc:\program files\microsoft office\root\office16\wordconv.exe 13241300x800000000000000064352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.112{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winword.exe|13fbee5927c46013\BinProductVersion16.0.13127.21668 13241300x800000000000000064351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.112{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winword.exe|13fbee5927c46013\LinkDate06/05/2021 06:25:25 13241300x800000000000000064350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.112{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winword.exe|13fbee5927c46013\Publishermicrosoft corporation 13241300x800000000000000064349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.112{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\winword.exe|13fbee5927c46013\LowerCaseLongPathc:\program files\microsoft office\root\office16\winword.exe 13241300x800000000000000064348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.112{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vpreview.exe|a4f4b801e1787737\BinProductVersion16.0.13127.21668 13241300x800000000000000064347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.112{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vpreview.exe|a4f4b801e1787737\LinkDate06/05/2021 06:13:45 13241300x800000000000000064346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.112{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vpreview.exe|a4f4b801e1787737\Publishermicrosoft corporation 13241300x800000000000000064345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.112{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vpreview.exe|a4f4b801e1787737\LowerCaseLongPathc:\program files\microsoft office\root\office16\vpreview.exe 13241300x800000000000000064344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.111{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\visicon.exe|298c64a15915f13a\BinProductVersion16.0.13127.21668 13241300x800000000000000064343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.111{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\visicon.exe|298c64a15915f13a\LinkDate06/05/2021 06:29:56 13241300x800000000000000064342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.111{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\visicon.exe|298c64a15915f13a\Publishermicrosoft corporation 13241300x800000000000000064341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.111{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\visicon.exe|298c64a15915f13a\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\visicon.exe 13241300x800000000000000064340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.111{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ucmapi.exe|3a5e65afd4555fb0\BinProductVersion16.0.13127.21668 13241300x800000000000000064339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.111{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ucmapi.exe|3a5e65afd4555fb0\LinkDate06/05/2021 06:07:56 13241300x800000000000000064338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.111{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ucmapi.exe|3a5e65afd4555fb0\Publishermicrosoft corporation 13241300x800000000000000064337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.111{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ucmapi.exe|3a5e65afd4555fb0\LowerCaseLongPathc:\program files\microsoft office\root\office16\ucmapi.exe 13241300x800000000000000064336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.111{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sscicons.exe|8c93d9f769666121\BinProductVersion16.0.13127.21668 13241300x800000000000000064335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.111{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sscicons.exe|8c93d9f769666121\LinkDate06/05/2021 06:29:55 13241300x800000000000000064334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.110{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sscicons.exe|8c93d9f769666121\Publishermicrosoft corporation 13241300x800000000000000064333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.110{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sscicons.exe|8c93d9f769666121\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\sscicons.exe 13241300x800000000000000064332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.110{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sqldumper.exe|f5cecdb30a72910f\BinProductVersion15.0.2000.311 13241300x800000000000000064331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.110{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sqldumper.exe|f5cecdb30a72910f\LinkDate03/18/2020 21:16:52 13241300x800000000000000064330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.110{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sqldumper.exe|f5cecdb30a72910f\Publishermicrosoft corporation 13241300x800000000000000064329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.110{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sqldumper.exe|f5cecdb30a72910f\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx64\microsoft analysis services\as oledb\140\sqldumper.exe 13241300x800000000000000064328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.110{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sqldumper.exe|464160c2533d4588\BinProductVersion15.0.2000.311 13241300x800000000000000064327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.110{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sqldumper.exe|464160c2533d4588\LinkDate03/18/2020 21:17:11 13241300x800000000000000064326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.110{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sqldumper.exe|464160c2533d4588\Publishermicrosoft corporation 13241300x800000000000000064325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.109{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sqldumper.exe|464160c2533d4588\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft analysis services\as oledb\140\sqldumper.exe 13241300x800000000000000064324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.109{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\spreadsheetcompa|13e8473ddb031adc\BinProductVersion16.0.11929.20112 13241300x800000000000000064323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.109{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\spreadsheetcompa|13e8473ddb031adc\LinkDate08/10/2019 04:45:31 13241300x800000000000000064322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.109{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\spreadsheetcompa|13e8473ddb031adc\Publishermicrosoft corporation 13241300x800000000000000064321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.109{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\spreadsheetcompa|13e8473ddb031adc\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\dcf\spreadsheetcompare.exe 13241300x800000000000000064320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.109{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\smarttaginstall.|f826035e5377ee3e\BinProductVersion16.0.13127.20164 13241300x800000000000000064319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.109{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\smarttaginstall.|f826035e5377ee3e\LinkDate08/10/2020 00:48:42 13241300x800000000000000064318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.109{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\smarttaginstall.|f826035e5377ee3e\Publishermicrosoft corporation 13241300x800000000000000064317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.108{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\smarttaginstall.|f826035e5377ee3e\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\smart tag\smarttaginstall.exe 13241300x800000000000000064316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.108{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\skypeserver.exe|8a108f2e74c54779\BinProductVersion16.0.13127.20204 13241300x800000000000000064315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.108{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\skypeserver.exe|8a108f2e74c54779\LinkDate08/15/2020 17:35:28 13241300x800000000000000064314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.108{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\skypeserver.exe|8a108f2e74c54779\Publishermicrosoft corporation 13241300x800000000000000064313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.108{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\skypeserver.exe|8a108f2e74c54779\LowerCaseLongPathc:\program files\microsoft office\root\office16\skypesrv\skypeserver.exe 13241300x800000000000000064312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.108{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setlang.exe|f09b3851d8a3961f\BinProductVersion16.0.13127.21668 13241300x800000000000000064311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.108{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setlang.exe|f09b3851d8a3961f\LinkDate06/05/2021 06:27:20 13241300x800000000000000064310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.108{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setlang.exe|f09b3851d8a3961f\Publishermicrosoft corporation 13241300x800000000000000064309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.108{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\setlang.exe|f09b3851d8a3961f\LowerCaseLongPathc:\program files\microsoft office\root\office16\setlang.exe 13241300x800000000000000064308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.107{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\selfcert.exe|e2ec62361730e601\BinProductVersion16.0.13127.21668 13241300x800000000000000064307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.107{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\selfcert.exe|e2ec62361730e601\LinkDate06/05/2021 06:24:34 13241300x800000000000000064306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.107{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\selfcert.exe|e2ec62361730e601\Publishermicrosoft corporation 13241300x800000000000000064305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.107{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\selfcert.exe|e2ec62361730e601\LowerCaseLongPathc:\program files\microsoft office\root\office16\selfcert.exe 13241300x800000000000000064304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.107{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdxhelperbgt.exe|10dd51b76d1cbf67\BinProductVersion16.0.13127.20164 13241300x800000000000000064303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.107{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdxhelperbgt.exe|10dd51b76d1cbf67\LinkDate08/10/2020 01:35:48 13241300x800000000000000064302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.107{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdxhelperbgt.exe|10dd51b76d1cbf67\Publishermicrosoft corporation 13241300x800000000000000064301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.107{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdxhelperbgt.exe|10dd51b76d1cbf67\LowerCaseLongPathc:\program files\microsoft office\root\office16\sdxhelperbgt.exe 13241300x800000000000000064300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.106{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdxhelper.exe|10f28420cb1d5514\BinProductVersion16.0.13127.21668 13241300x800000000000000064299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.106{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdxhelper.exe|10f28420cb1d5514\LinkDate06/05/2021 06:23:29 13241300x800000000000000064298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.106{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdxhelper.exe|10f28420cb1d5514\Publishermicrosoft corporation 13241300x800000000000000064297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.106{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\sdxhelper.exe|10f28420cb1d5514\LowerCaseLongPathc:\program files\microsoft office\root\office16\sdxhelper.exe 13241300x800000000000000064296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.106{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scanpst.exe|b3299f6a464b1648\BinProductVersion16.0.13127.21668 13241300x800000000000000064295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.106{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scanpst.exe|b3299f6a464b1648\LinkDate06/05/2021 06:16:27 13241300x800000000000000064294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.106{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scanpst.exe|b3299f6a464b1648\Publishermicrosoft corporation 13241300x800000000000000064293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.106{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\scanpst.exe|b3299f6a464b1648\LowerCaseLongPathc:\program files\microsoft office\root\office16\scanpst.exe 13241300x800000000000000064292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.105{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pubs.exe|221ddcdbe2c5911d\BinProductVersion16.0.13127.21668 13241300x800000000000000064291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.105{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pubs.exe|221ddcdbe2c5911d\LinkDate06/05/2021 06:29:55 13241300x800000000000000064290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.105{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pubs.exe|221ddcdbe2c5911d\Publishermicrosoft corporation 13241300x800000000000000064289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.105{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pubs.exe|221ddcdbe2c5911d\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\pubs.exe 13241300x800000000000000064288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.105{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\protocolhandler.|9fae8d2618c9287e\BinProductVersion16.0.13127.21668 13241300x800000000000000064287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.105{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\protocolhandler.|9fae8d2618c9287e\LinkDate06/05/2021 06:00:42 13241300x800000000000000064286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.105{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\protocolhandler.|9fae8d2618c9287e\Publishermicrosoft corporation 13241300x800000000000000064285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.105{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\protocolhandler.|9fae8d2618c9287e\LowerCaseLongPathc:\program files\microsoft office\root\office16\protocolhandler.exe 13241300x800000000000000064284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.104{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pptico.exe|d7bc0ff224c77abb\BinProductVersion16.0.11629.20024 13241300x800000000000000064283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.104{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pptico.exe|d7bc0ff224c77abb\LinkDate05/03/2019 09:17:50 13241300x800000000000000064282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.104{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pptico.exe|d7bc0ff224c77abb\Publishermicrosoft corporation 13241300x800000000000000064281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.104{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pptico.exe|d7bc0ff224c77abb\LowerCaseLongPathc:\program files\microsoft office\root\office16\pptico.exe 13241300x800000000000000064280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.104{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pptico.exe|39fd6212a4a4bffe\BinProductVersion16.0.13127.21668 13241300x800000000000000064279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.104{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pptico.exe|39fd6212a4a4bffe\LinkDate06/05/2021 06:29:55 13241300x800000000000000064278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.104{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pptico.exe|39fd6212a4a4bffe\Publishermicrosoft corporation 13241300x800000000000000064277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.104{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pptico.exe|39fd6212a4a4bffe\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\pptico.exe 13241300x800000000000000064276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.103{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\powerpnt.exe|d26b5ec93e6588c4\BinProductVersion16.0.13127.21668 13241300x800000000000000064275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.103{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\powerpnt.exe|d26b5ec93e6588c4\LinkDate06/05/2021 06:28:40 13241300x800000000000000064274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.103{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\powerpnt.exe|d26b5ec93e6588c4\Publishermicrosoft corporation 13241300x800000000000000064273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.103{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\powerpnt.exe|d26b5ec93e6588c4\LowerCaseLongPathc:\program files\microsoft office\root\office16\powerpnt.exe 13241300x800000000000000064272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.103{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pj11icon.exe|3eb73d0357cb7ab9\BinProductVersion16.0.13127.21668 13241300x800000000000000064271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.103{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pj11icon.exe|3eb73d0357cb7ab9\LinkDate06/05/2021 06:29:55 13241300x800000000000000064270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.103{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pj11icon.exe|3eb73d0357cb7ab9\Publishermicrosoft corporation 13241300x800000000000000064269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.103{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pj11icon.exe|3eb73d0357cb7ab9\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\pj11icon.exe 13241300x800000000000000064268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.103{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perfboost.exe|27e8fad257309e8d\BinProductVersion16.0.13127.21668 13241300x800000000000000064267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.102{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perfboost.exe|27e8fad257309e8d\LinkDate06/05/2021 06:14:14 13241300x800000000000000064266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.102{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perfboost.exe|27e8fad257309e8d\Publishermicrosoft corporation 13241300x800000000000000064265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.102{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\perfboost.exe|27e8fad257309e8d\LowerCaseLongPathc:\program files\microsoft office\root\office16\perfboost.exe 13241300x800000000000000064264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.102{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pdfreflow.exe|8db2822531d6bf4e\BinProductVersion16.0.13127.21668 13241300x800000000000000064263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.102{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pdfreflow.exe|8db2822531d6bf4e\LinkDate06/05/2021 06:30:28 13241300x800000000000000064262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.102{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pdfreflow.exe|8db2822531d6bf4e\Publishermicrosoft corporation 13241300x800000000000000064261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.102{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\pdfreflow.exe|8db2822531d6bf4e\LowerCaseLongPathc:\program files\microsoft office\root\office16\pdfreflow.exe 13241300x800000000000000064260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.101{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\outlook.exe|bf505a2e251894e\BinProductVersion16.0.13127.21668 13241300x800000000000000064259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.101{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\outlook.exe|bf505a2e251894e\LinkDate06/05/2021 06:20:08 13241300x800000000000000064258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.101{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\outlook.exe|bf505a2e251894e\Publishermicrosoft corporation 13241300x800000000000000064257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.101{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\outlook.exe|bf505a2e251894e\LowerCaseLongPathc:\program files\microsoft office\root\office16\outlook.exe 13241300x800000000000000064256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.101{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\outicon.exe|5d91efc2ef9fbaa3\BinProductVersion16.0.13127.21668 13241300x800000000000000064255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.101{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\outicon.exe|5d91efc2ef9fbaa3\LinkDate06/05/2021 06:29:55 13241300x800000000000000064254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.101{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\outicon.exe|5d91efc2ef9fbaa3\Publishermicrosoft corporation 13241300x800000000000000064253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.101{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\outicon.exe|5d91efc2ef9fbaa3\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\outicon.exe 13241300x800000000000000064252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.101{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ospprearm.exe|a1d69ba702646028\BinProductVersion(Empty) 13241300x800000000000000064251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.101{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ospprearm.exe|a1d69ba702646028\LinkDate06/05/2021 06:19:00 13241300x800000000000000064250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.100{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ospprearm.exe|a1d69ba702646028\Publisher(Empty) 13241300x800000000000000064249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.100{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ospprearm.exe|a1d69ba702646028\LowerCaseLongPathc:\program files\microsoft office\office16\ospprearm.exe 13241300x800000000000000064248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.100{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\osmclienticon.ex|bc2995a7d78281bf\BinProductVersion16.0.13127.21668 13241300x800000000000000064247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.100{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\osmclienticon.ex|bc2995a7d78281bf\LinkDate06/05/2021 06:29:55 13241300x800000000000000064246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.100{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\osmclienticon.ex|bc2995a7d78281bf\Publishermicrosoft corporation 13241300x800000000000000064245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.100{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\osmclienticon.ex|bc2995a7d78281bf\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\osmclienticon.exe 13241300x800000000000000064244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.100{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\osmadminicon.exe|1023b0e7e6d67170\BinProductVersion16.0.13127.21668 13241300x800000000000000064243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.100{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\osmadminicon.exe|1023b0e7e6d67170\LinkDate06/05/2021 06:29:55 13241300x800000000000000064242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.100{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\osmadminicon.exe|1023b0e7e6d67170\Publishermicrosoft corporation 13241300x800000000000000064241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.100{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\osmadminicon.exe|1023b0e7e6d67170\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\osmadminicon.exe 13241300x800000000000000064240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.099{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ose.exe|4d61fdf0b4f5491a\BinProductVersion16.0.13127.20164 13241300x800000000000000064239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.099{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ose.exe|4d61fdf0b4f5491a\LinkDate08/10/2020 01:30:07 13241300x800000000000000064238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.099{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ose.exe|4d61fdf0b4f5491a\Publishermicrosoft corporation 13241300x800000000000000064237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.099{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ose.exe|4d61fdf0b4f5491a\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\source engine\ose.exe 13241300x800000000000000064236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.099{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\orgchart.exe|f3872224b48ee8a5\BinProductVersion16.0.13127.21668 13241300x800000000000000064235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.099{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\orgchart.exe|f3872224b48ee8a5\LinkDate06/05/2021 06:21:46 13241300x800000000000000064234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.099{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\orgchart.exe|f3872224b48ee8a5\Publishermicrosoft corporation 13241300x800000000000000064233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.099{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\orgchart.exe|f3872224b48ee8a5\LowerCaseLongPathc:\program files\microsoft office\root\office16\orgchart.exe 13241300x800000000000000064232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.098{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onenotem.exe|ee4342edaa4ce03e\BinProductVersion16.0.13127.21668 13241300x800000000000000064231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.098{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onenotem.exe|ee4342edaa4ce03e\LinkDate06/05/2021 06:20:36 13241300x800000000000000064230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.098{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onenotem.exe|ee4342edaa4ce03e\Publishermicrosoft corporation 13241300x800000000000000064229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.098{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onenotem.exe|ee4342edaa4ce03e\LowerCaseLongPathc:\program files\microsoft office\root\office16\onenotem.exe 13241300x800000000000000064228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.098{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onenote.exe|1340679fc786a65d\BinProductVersion16.0.13127.21668 13241300x800000000000000064227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.098{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onenote.exe|1340679fc786a65d\LinkDate06/05/2021 06:24:40 13241300x800000000000000064226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.098{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onenote.exe|1340679fc786a65d\Publishermicrosoft corporation 13241300x800000000000000064225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.098{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onenote.exe|1340679fc786a65d\LowerCaseLongPathc:\program files\microsoft office\root\office16\onenote.exe 13241300x800000000000000064224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.098{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\BinProductVersion18.151.729.13 13241300x800000000000000064223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.097{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\LinkDate09/17/2018 17:44:14 13241300x800000000000000064222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.097{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\Publishermicrosoft corporation 13241300x800000000000000064221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.097{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\LowerCaseLongPathc:\program files\microsoft office\root\integration\addons\onedrivesetup.exe 13241300x800000000000000064220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.097{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\olicenseheartbea|685556b86b591b30\BinProductVersion16.0.13127.21668 13241300x800000000000000064219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.097{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\olicenseheartbea|685556b86b591b30\LinkDate06/05/2021 06:14:19 13241300x800000000000000064218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.097{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\olicenseheartbea|685556b86b591b30\Publishermicrosoft corporation 13241300x800000000000000064217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.097{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\olicenseheartbea|685556b86b591b30\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\olicenseheartbeat.exe 13241300x800000000000000064216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\olcfg.exe|a02976be835ef87a\BinProductVersion16.0.13127.20164 13241300x800000000000000064215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\olcfg.exe|a02976be835ef87a\LinkDate08/10/2020 01:17:52 13241300x800000000000000064214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\olcfg.exe|a02976be835ef87a\Publishermicrosoft corporation 13241300x800000000000000064213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\olcfg.exe|a02976be835ef87a\LowerCaseLongPathc:\program files\microsoft office\root\office16\olcfg.exe 13241300x800000000000000064212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ohub32.exe|1cbd8b063e0dbfd8\BinProductVersion16.0.13127.21668 13241300x800000000000000064211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ohub32.exe|1cbd8b063e0dbfd8\LinkDate06/05/2021 06:24:59 13241300x800000000000000064210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ohub32.exe|1cbd8b063e0dbfd8\Publishermicrosoft corporation 13241300x800000000000000064209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ohub32.exe|1cbd8b063e0dbfd8\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\ohub32.exe 13241300x800000000000000064208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\officeappguardwi|1d315891d4000f76\BinProductVersion16.0.13127.21668 13241300x800000000000000064207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\officeappguardwi|1d315891d4000f76\LinkDate06/05/2021 06:14:23 13241300x800000000000000064206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\officeappguardwi|1d315891d4000f76\Publishermicrosoft corporation 13241300x800000000000000064205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.096{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\officeappguardwi|1d315891d4000f76\LowerCaseLongPathc:\program files\microsoft office\root\office16\officeappguardwin32.exe 13241300x800000000000000064204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ocpubmgr.exe|bf7b23fd8b5a21e6\BinProductVersion16.0.13127.21668 13241300x800000000000000064203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ocpubmgr.exe|bf7b23fd8b5a21e6\LinkDate06/05/2021 06:08:37 13241300x800000000000000064202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ocpubmgr.exe|bf7b23fd8b5a21e6\Publishermicrosoft corporation 13241300x800000000000000064201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ocpubmgr.exe|bf7b23fd8b5a21e6\LowerCaseLongPathc:\program files\microsoft office\root\office16\ocpubmgr.exe 13241300x800000000000000064200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\namecontrolserve|6e9ebbbd25720a1f\BinProductVersion16.0.13127.21668 13241300x800000000000000064199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\namecontrolserve|6e9ebbbd25720a1f\LinkDate06/05/2021 06:27:18 13241300x800000000000000064198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\namecontrolserve|6e9ebbbd25720a1f\Publishermicrosoft corporation 13241300x800000000000000064197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\namecontrolserve|6e9ebbbd25720a1f\LowerCaseLongPathc:\program files\microsoft office\root\office16\namecontrolserver.exe 13241300x800000000000000064196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msqry32.exe|f4966ad2a4f8b618\BinProductVersion16.0.13127.21668 13241300x800000000000000064195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msqry32.exe|f4966ad2a4f8b618\LinkDate06/05/2021 06:22:16 13241300x800000000000000064194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msqry32.exe|f4966ad2a4f8b618\Publishermicrosoft corporation 13241300x800000000000000064193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msqry32.exe|f4966ad2a4f8b618\LowerCaseLongPathc:\program files\microsoft office\root\office16\msqry32.exe 13241300x800000000000000064192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mspub.exe|627686ba4cede96f\BinProductVersion16.0.13127.21668 13241300x800000000000000064191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mspub.exe|627686ba4cede96f\LinkDate06/05/2021 06:19:59 13241300x800000000000000064190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mspub.exe|627686ba4cede96f\Publishermicrosoft corporation 13241300x800000000000000064189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mspub.exe|627686ba4cede96f\LowerCaseLongPathc:\program files\microsoft office\root\office16\mspub.exe 13241300x800000000000000064188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoxmled.exe|9d4c86224f942115\BinProductVersion16.0.13127.20164 13241300x800000000000000064187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoxmled.exe|9d4c86224f942115\LinkDate08/10/2020 01:33:30 13241300x800000000000000064186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoxmled.exe|9d4c86224f942115\Publishermicrosoft corporation 13241300x800000000000000064185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoxmled.exe|9d4c86224f942115\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msoxmled.exe 13241300x800000000000000064184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msouc.exe|fb7096179e0993a1\BinProductVersion16.0.13127.21668 13241300x800000000000000064183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msouc.exe|fb7096179e0993a1\LinkDate06/05/2021 06:25:35 13241300x800000000000000064182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msouc.exe|fb7096179e0993a1\Publishermicrosoft corporation 13241300x800000000000000064181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.094{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msouc.exe|fb7096179e0993a1\LowerCaseLongPathc:\program files\microsoft office\root\office16\msouc.exe 13241300x800000000000000064180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msouc.exe|abee62b8e3008d9b\BinProductVersion16.0.13127.21668 13241300x800000000000000064179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msouc.exe|abee62b8e3008d9b\LinkDate06/05/2021 06:29:55 13241300x800000000000000064178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msouc.exe|abee62b8e3008d9b\Publishermicrosoft corporation 13241300x800000000000000064177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msouc.exe|abee62b8e3008d9b\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\msouc.exe 13241300x800000000000000064176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msotd.exe|1846727dbe2e5345\BinProductVersion16.0.13127.21668 13241300x800000000000000064175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msotd.exe|1846727dbe2e5345\LinkDate06/05/2021 06:27:30 13241300x800000000000000064174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msotd.exe|1846727dbe2e5345\Publishermicrosoft corporation 13241300x800000000000000064173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msotd.exe|1846727dbe2e5345\LowerCaseLongPathc:\program files\microsoft office\root\office16\msotd.exe 13241300x800000000000000064172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msosync.exe|8f2f17f2ae97d344\BinProductVersion16.0.13127.21668 13241300x800000000000000064171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msosync.exe|8f2f17f2ae97d344\LinkDate06/05/2021 06:25:39 13241300x800000000000000064170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msosync.exe|8f2f17f2ae97d344\Publishermicrosoft corporation 13241300x800000000000000064169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.093{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msosync.exe|8f2f17f2ae97d344\LowerCaseLongPathc:\program files\microsoft office\root\office16\msosync.exe 13241300x800000000000000064168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msosrec.exe|7e420f036fdc982e\BinProductVersion16.0.13127.21668 13241300x800000000000000064167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msosrec.exe|7e420f036fdc982e\LinkDate06/05/2021 06:23:32 13241300x800000000000000064166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msosrec.exe|7e420f036fdc982e\Publishermicrosoft corporation 13241300x800000000000000064165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msosrec.exe|7e420f036fdc982e\LowerCaseLongPathc:\program files\microsoft office\root\office16\msosrec.exe 13241300x800000000000000064164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoicons.exe|3da37cfb4950ecae\BinProductVersion16.0.11126.20058 13241300x800000000000000064163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoicons.exe|3da37cfb4950ecae\LinkDate12/09/2018 01:13:36 13241300x800000000000000064162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoicons.exe|3da37cfb4950ecae\Publishermicrosoft corporation 13241300x800000000000000064161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoicons.exe|3da37cfb4950ecae\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\msoicons.exe 13241300x800000000000000064160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoia.exe|114864795aa55b83\BinProductVersion16.0.13127.21668 13241300x800000000000000064159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoia.exe|114864795aa55b83\LinkDate06/05/2021 06:29:39 13241300x800000000000000064158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoia.exe|114864795aa55b83\Publishermicrosoft corporation 13241300x800000000000000064157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.092{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoia.exe|114864795aa55b83\LowerCaseLongPathc:\program files\microsoft office\root\office16\msoia.exe 13241300x800000000000000064156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msohtmed.exe|99dd74e197b774bf\BinProductVersion16.0.13127.21668 13241300x800000000000000064155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msohtmed.exe|99dd74e197b774bf\LinkDate06/04/2021 12:49:42 13241300x800000000000000064154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msohtmed.exe|99dd74e197b774bf\Publishermicrosoft corporation 13241300x800000000000000064153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msohtmed.exe|99dd74e197b774bf\LowerCaseLongPathc:\program files\microsoft office\root\vfs\programfilesx86\microsoft office\office16\msohtmed.exe 13241300x800000000000000064152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msohtmed.exe|148478b1871e8bf3\BinProductVersion16.0.13127.21668 13241300x800000000000000064151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msohtmed.exe|148478b1871e8bf3\LinkDate06/05/2021 06:18:02 13241300x800000000000000064150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msohtmed.exe|148478b1871e8bf3\Publishermicrosoft corporation 13241300x800000000000000064149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msohtmed.exe|148478b1871e8bf3\LowerCaseLongPathc:\program files\microsoft office\root\office16\msohtmed.exe 13241300x800000000000000064148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoev.exe|b4e37bd46f9380f9\BinProductVersion16.0.13127.21668 13241300x800000000000000064147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoev.exe|b4e37bd46f9380f9\LinkDate06/05/2021 06:27:29 13241300x800000000000000064146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoev.exe|b4e37bd46f9380f9\Publishermicrosoft corporation 13241300x800000000000000064145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.091{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoev.exe|b4e37bd46f9380f9\LowerCaseLongPathc:\program files\microsoft office\root\office16\msoev.exe 13241300x800000000000000064144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoasb.exe|750d1f3936d98f5d\BinProductVersion16.0.13127.21210 13241300x800000000000000064143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoasb.exe|750d1f3936d98f5d\LinkDate02/05/2021 12:55:08 13241300x800000000000000064142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoasb.exe|750d1f3936d98f5d\Publishermicrosoft corporation 13241300x800000000000000064141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoasb.exe|750d1f3936d98f5d\LowerCaseLongPathc:\program files\microsoft office\root\office16\msoasb.exe 13241300x800000000000000064140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoadfsb.exe|53077702cdcc8005\BinProductVersion16.0.13127.21668 13241300x800000000000000064139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoadfsb.exe|53077702cdcc8005\LinkDate06/05/2021 06:08:26 13241300x800000000000000064138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoadfsb.exe|53077702cdcc8005\Publishermicrosoft corporation 13241300x800000000000000064137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msoadfsb.exe|53077702cdcc8005\LowerCaseLongPathc:\program files\microsoft office\root\office16\msoadfsb.exe 13241300x800000000000000064136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msaccess.exe|77cffae26fbe2b5\BinProductVersion16.0.13127.21668 13241300x800000000000000064135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msaccess.exe|77cffae26fbe2b5\LinkDate06/05/2021 06:15:37 13241300x800000000000000064134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msaccess.exe|77cffae26fbe2b5\Publishermicrosoft corporation 13241300x800000000000000064133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.090{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\msaccess.exe|77cffae26fbe2b5\LowerCaseLongPathc:\program files\microsoft office\root\office16\msaccess.exe 13241300x800000000000000064132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mlcfg32.cpl|31c16fc3f63fc7dc\BinProductVersion16.0.13127.21668 13241300x800000000000000064131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mlcfg32.cpl|31c16fc3f63fc7dc\LinkDate06/05/2021 06:16:16 13241300x800000000000000064130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mlcfg32.cpl|31c16fc3f63fc7dc\Publishermicrosoft corporation 13241300x800000000000000064129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mlcfg32.cpl|31c16fc3f63fc7dc\LowerCaseLongPathc:\program files\microsoft office\root\office16\mlcfg32.cpl 13241300x800000000000000064128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|e53c61630655f462\BinProductVersion16.0.13127.21668 13241300x800000000000000064127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|e53c61630655f462\LinkDate06/05/2021 06:29:55 13241300x800000000000000064126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|e53c61630655f462\Publishermicrosoft corporation 13241300x800000000000000064125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|e53c61630655f462\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-001f-0c0a-1000-0000000ff1ce}\misc.exe 13241300x800000000000000064124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|d72ba68dc6224853\BinProductVersion16.0.13127.21668 13241300x800000000000000064123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|d72ba68dc6224853\LinkDate06/05/2021 06:29:55 13241300x800000000000000064122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|d72ba68dc6224853\Publishermicrosoft corporation 13241300x800000000000000064121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.089{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|d72ba68dc6224853\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-006e-0409-1000-0000000ff1ce}\misc.exe 13241300x800000000000000064120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.088{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|88c5db986dc6d3ce\BinProductVersion16.0.13127.21668 13241300x800000000000000064119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.088{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|88c5db986dc6d3ce\LinkDate06/05/2021 06:29:55 13241300x800000000000000064118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.088{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|88c5db986dc6d3ce\Publishermicrosoft corporation 13241300x800000000000000064117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.088{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|88c5db986dc6d3ce\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-001f-040c-1000-0000000ff1ce}\misc.exe 13241300x800000000000000064116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.088{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|74c239057bc7b55b\BinProductVersion16.0.13127.21668 13241300x800000000000000064115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.088{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|74c239057bc7b55b\LinkDate06/05/2021 06:29:55 13241300x800000000000000064114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.088{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|74c239057bc7b55b\Publishermicrosoft corporation 13241300x800000000000000064113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.087{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|74c239057bc7b55b\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-001f-0409-1000-0000000ff1ce}\misc.exe 13241300x800000000000000064112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.087{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|6a82b5241464385b\BinProductVersion16.0.8528.2126 13241300x800000000000000064111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.087{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|6a82b5241464385b\LinkDate09/29/2017 23:29:19 13241300x800000000000000064110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.087{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|6a82b5241464385b\Publishermicrosoft corporation 13241300x800000000000000064109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.087{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|6a82b5241464385b\LowerCaseLongPathc:\program files\microsoft office\root\office16\misc.exe 13241300x800000000000000064108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.087{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|34dbf5ff896a9c69\BinProductVersion16.0.13127.21668 13241300x800000000000000064107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.087{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|34dbf5ff896a9c69\LinkDate06/05/2021 06:29:55 13241300x800000000000000064106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.087{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|34dbf5ff896a9c69\Publishermicrosoft corporation 13241300x800000000000000064105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\misc.exe|34dbf5ff896a9c69\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\misc.exe 13241300x800000000000000064104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|f091cf2f235e136d\BinProductVersion0.0.0.0 13241300x800000000000000064103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|f091cf2f235e136d\LinkDate08/18/2020 19:40:54 13241300x800000000000000064102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|f091cf2f235e136d\Publishermicrosoft corporation 13241300x800000000000000064101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|f091cf2f235e136d\LowerCaseLongPathc:\program files\microsoft office\root\office16\addins\microsoft power query for excel integrated\bin\microsoft.mashup.container.netfx45.exe 13241300x800000000000000064100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|a56df878940cffa2\BinProductVersion0.0.0.0 13241300x800000000000000064099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|a56df878940cffa2\LinkDate08/18/2020 19:40:54 13241300x800000000000000064098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|a56df878940cffa2\Publishermicrosoft corporation 13241300x800000000000000064097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|a56df878940cffa2\LowerCaseLongPathc:\program files\microsoft office\root\office16\addins\microsoft power query for excel integrated\bin\microsoft.mashup.container.netfx40.exe 13241300x800000000000000064096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|2c539c4e8f922a27\BinProductVersion0.0.0.0 13241300x800000000000000064095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|2c539c4e8f922a27\LinkDate08/18/2020 19:40:54 13241300x800000000000000064094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|2c539c4e8f922a27\Publishermicrosoft corporation 13241300x800000000000000064093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|2c539c4e8f922a27\LowerCaseLongPathc:\program files\microsoft office\root\office16\addins\microsoft power query for excel integrated\bin\microsoft.mashup.container.exe 13241300x800000000000000064092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|237e2a2192600ea3\BinProductVersion2.84.801.0 13241300x800000000000000064091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|237e2a2192600ea3\LinkDate08/18/2020 19:34:20 13241300x800000000000000064090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|237e2a2192600ea3\Publishermicrosoft corporation 13241300x800000000000000064089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoft.mashup|237e2a2192600ea3\LowerCaseLongPathc:\program files\microsoft office\root\office16\addins\microsoft power query for excel integrated\bin\microsoft.mashup.container.loader.exe 13241300x800000000000000064088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lyncicon.exe|cf5ccf14e5b4e8d6\BinProductVersion16.0.13127.21668 13241300x800000000000000064087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lyncicon.exe|cf5ccf14e5b4e8d6\LinkDate06/05/2021 06:29:55 13241300x800000000000000064086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lyncicon.exe|cf5ccf14e5b4e8d6\Publishermicrosoft corporation 13241300x800000000000000064085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.084{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lyncicon.exe|cf5ccf14e5b4e8d6\LowerCaseLongPathc:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\lyncicon.exe 13241300x800000000000000064084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.084{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lynchtmlconv.exe|963a17d6e811cd33\BinProductVersion16.0.13127.21668 13241300x800000000000000064083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.084{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lynchtmlconv.exe|963a17d6e811cd33\LinkDate06/05/2021 06:08:38 13241300x800000000000000064082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.084{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lynchtmlconv.exe|963a17d6e811cd33\Publishermicrosoft corporation 13241300x800000000000000064081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:17.084{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lynchtmlconv.exe|963a17d6e811cd33\LowerCaseLongPathc:\program files\microsoft office\root\office16\lynchtmlconv.exe 13241300x800000000000000064080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:17.084{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lync99.exe|11bf44393ed6256a\BinProductVersion16.0.13127.21668 13241300x800000000000000064079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:17.084{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lync99.exe|11bf44393ed6256a\LinkDate06/05/2021 06:08:47 13241300x800000000000000064078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:17.084{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\lync99.exe|11bf44393ed6256a\Publishermicrosoft corporation 23542300x800000000000000028919Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:20.968{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2BAD4718C6235D225A0AC5B85252F4D8,SHA256=7AF798FAFBCC36620167D4093286CD5499E47ED2CEB20C07936CF5A249C80D4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028918Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:20.531{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A21D926CD93054648F87446ACFA2A0,SHA256=ED34813D6B310F0BAD37E52AB9D242EC0F8CE5FE26751A43FD322A324F8CF5CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.955{43EB4363-37A7-60F5-1000-00000000E501}368364C:\Windows\System32\svchost.exe{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.955{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-57C1-60F5-260B-00000000E501}6344C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.955{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.945{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.945{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.945{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.945{43EB4363-57A1-60F5-C80A-00000000E501}41004384C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-57C1-60F5-260B-00000000E501}6344C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+12425f(wow64)|C:\Windows\System32\windows.storage.dll+123f7f(wow64)|C:\Windows\System32\windows.storage.dll+123cc7(wow64)|C:\Windows\System32\windows.storage.dll+124cb5(wow64)|C:\Windows\System32\windows.storage.dll+123af1(wow64)|C:\Windows\System32\windows.storage.dll+125eba(wow64)|C:\Windows\System32\windows.storage.dll+1262b7(wow64)|C:\Windows\System32\windows.storage.dll+1258e5(wow64)|C:\Windows\System32\SHELL32.dll+18be74(wow64)|C:\Windows\System32\SHELL32.dll+18bd4e(wow64)|C:\Windows\System32\SHELL32.dll+1ad65a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000064877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.952{43EB4363-57C1-60F5-260B-00000000E501}6344C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe18.151.0729.0013Microsoft OneDrive Configuration ApplicationMicrosoft OneDriveMicrosoft CorporationFileSyncConfig.exe"C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe" C:\Windows\system32\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=2A333CC67C3DAAD5E4784A08CA4210C8,SHA256=5345A52E737F80DE378C2E4F61E56B9D169E01CCF4C2DBFA1099A336ED9FAFF2,IMPHASH=479A0D583C2F6822F3BBC39A672D3852{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe /silent /peruser /childprocess /enableOMCTelemetry 10341000x800000000000000064876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.945{43EB4363-37A7-60F5-1000-00000000E501}3684988C:\Windows\System32\svchost.exe{43EB4363-57C1-60F5-260B-00000000E501}6344C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.945{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.895{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveStandaloneUpdater.exeMD5=4F6374A871C1D85A31B172061C785E92,SHA256=37675A3F272700BF3BE32C5CE4AC78E3390BF9A210AC62B304F876B2A929345C,IMPHASH=DDED089A98AA2CAD28EE371811657DE9truetrue 11241100x800000000000000064873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localEXE2021-07-19 10:45:21.875{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe2021-07-19 10:45:21.875 23542300x800000000000000064872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.875{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDrive.VisualElementsManifest.xmlMD5=DDCBC6AB58FF4F81ACE430E932179977,SHA256=2647BC7D5D80E3A1323793D3125CC845CE067A7BEF4521CF8DBE8955F9587135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.875{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Resources.priMD5=7473BE9C7899F2A2DA99D09C596B2D6D,SHA256=E1252527BC066DA6838344D49660E4C6FF2D1DDFDA036C5EC19B07FDFB90C8C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.875{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.scale-400.pngMD5=80272785B68CEE17562300786F0FA59B,SHA256=BB89239434644337760C382DB336F80E16494D12D3E9258985DA74B734F423A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.874{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.scale-200.pngMD5=5BE57D0496257EC3B690A85C7AFEEA95,SHA256=3EC8CF118D4EEF4C6AF68CB5C679B71991C37E5A0F72AD9C3BF4027AFB4180FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.872{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.scale-150.pngMD5=8A85AA646709AE9D2681F83ED85D14F2,SHA256=35FCC1231BDD1BF82FEB86777EC5EC982515B188CB9C52DDAB9FF43D9FAB0366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.869{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.scale-125.pngMD5=BDA3BAF91F230BF2B10E2E019ABC3EFF,SHA256=D2D097D39687AC886D8836A553F8D1B581723094AE5539A259C0259585D99475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.867{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.scale-100.pngMD5=52F5BE0F8D3C5150B591A4656A50D6B0,SHA256=B00B6A09F4AA9DFFF7026FF9C2EA5EC0236B05AE8B99D0CDB35C3A1EA78A5D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.855{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-400.pngMD5=A85ADDC7DF73937053D80FDFAAFDB76A,SHA256=A1A9AEF9837E8A555AE95338FC358FCF24A8ACCC2AAF6E49B8FEC60818A7216E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.855{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-200.pngMD5=40FEB212FAF4DCF564629E23A310FFA4,SHA256=FB0DACBD8567FBB468A506AB8B33AFA95D555DA74AEF8EB1ECCBF928216E8C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.855{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-150.pngMD5=0E3D8F803AD480D38DA0A3B925C02106,SHA256=225D709C0E85F6E37C9F2625DE07C4572A945F165D80E14A50906927821064B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.855{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-125.pngMD5=B7D80EEA5EC49B3620D1E15D81912EE4,SHA256=3A50DA1C6A1BFE9F6ACC0594B740F5544C6304C1AABBDF4D04CEE367FB811150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.845{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.contrast-white_scale-100.pngMD5=1AF06C14BAF9292118292D2E86E10F4B,SHA256=CA3F45E98FCD7A144623B75B6C8ED907C00E3D410627EB0091F01423DBAC8DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.845{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-400.pngMD5=80272785B68CEE17562300786F0FA59B,SHA256=BB89239434644337760C382DB336F80E16494D12D3E9258985DA74B734F423A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.845{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-200.pngMD5=5BE57D0496257EC3B690A85C7AFEEA95,SHA256=3EC8CF118D4EEF4C6AF68CB5C679B71991C37E5A0F72AD9C3BF4027AFB4180FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.845{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-150.pngMD5=8A85AA646709AE9D2681F83ED85D14F2,SHA256=35FCC1231BDD1BF82FEB86777EC5EC982515B188CB9C52DDAB9FF43D9FAB0366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.835{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\inprogressinstallinfo.ipiMD5=F727CECC76CC4093BAD5C8A1B2A375A1,SHA256=8F9500FE7AE2EADA69B750E9F61C860C0330E299A11327616BDA05430C375B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.835{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-125.pngMD5=BDA3BAF91F230BF2B10E2E019ABC3EFF,SHA256=D2D097D39687AC886D8836A553F8D1B581723094AE5539A259C0259585D99475,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.835{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF09364416C066778E.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000064854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.835{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF7FEEBFA9F60B2BF3.TMPMD5=F727CECC76CC4093BAD5C8A1B2A375A1,SHA256=8F9500FE7AE2EADA69B750E9F61C860C0330E299A11327616BDA05430C375B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.835{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveSmallTile.contrast-black_scale-100.pngMD5=52F5BE0F8D3C5150B591A4656A50D6B0,SHA256=B00B6A09F4AA9DFFF7026FF9C2EA5EC0236B05AE8B99D0CDB35C3A1EA78A5D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.835{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFBA6FEB56E500B039.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000064851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.835{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFDA1423CA64FC1B3A.TMPMD5=F727CECC76CC4093BAD5C8A1B2A375A1,SHA256=8F9500FE7AE2EADA69B750E9F61C860C0330E299A11327616BDA05430C375B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.835{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.scale-400.pngMD5=1554DD2698B5F2D81445704D4F4C58BA,SHA256=F31EB37B641E0AB8782EF294ADB57D31135E5AAD8838C06F8FDB0A86929E39C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.825{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.scale-200.pngMD5=A2184C1047A0C1FAB0F465F2355CCF92,SHA256=EB846E01333B2DD4CE1C2AECCBD6D90874F976948B881AA362E13593A254AD70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.825{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\79c63a.msiMD5=4A67BE63EE3A210DEAD1DFD56C3B87A8,SHA256=CF5AE9A4C62484F328FF20951678D7D795CBB0CA60BE43DDA1310FF02C2D50E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.825{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.scale-150.pngMD5=262B8476753F83B4ABD01017DCDB061F,SHA256=EF6AC1CAA0AEBE3D94BA86856FD69D68F370588A678B1B6F9F90C83B161D87AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.825{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.scale-125.pngMD5=F837C5AA1F38D8241B28B92D15EEBE75,SHA256=CC134DAAA737E48E0F37FF5BECE33E23484C47B55CB6571F3283E73E14F54334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.815{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.scale-100.pngMD5=433D5C9BFE71C70E6BF1F18B7DA188F4,SHA256=3BA55B200B58756480679CF8B6B98D7B3570F8DFCDB39186F721357DA8D8172C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.815{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.contrast-white_scale-400.pngMD5=28005183D565FD56057FF53C2271C256,SHA256=ECF4E09027031C0DC5F66CBEEF68A96D59947C6EFF969FEF9908DDBBF9CDD3E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.815{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFB64CD3351592CDDF.TMPMD5=04B6F3B06A77501D8010BD59368D0BE2,SHA256=9C99EFF31096091CB13CEDEA62DCF5C5708EFDE0774365867CE980D3FD25739E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.815{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.contrast-white_scale-200.pngMD5=D69B68D21ED0C659704BCA13218267C0,SHA256=78AEA1A92CF325B6F2B1C8D2438122A3A38396EF28CCF4E6A77896BD1D04A31F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.815{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DFF5165275BAE219A8.TMPMD5=887FE57F8AB259D7748D2C849094F1DE,SHA256=9A8CE09D8160A7183884966AA170E455EDC90A58D0E104AD8C80DFD4D233FA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.815{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.contrast-white_scale-150.pngMD5=748E43B4DA7F7FC91A98534F1C90C32F,SHA256=4EABC71F16AFAAFF190302A2656FC9FAF542632B75F8294C721D008B9A51B46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.805{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.contrast-white_scale-125.pngMD5=5588D3464D135BDA19ECB5F6284F1AA5,SHA256=2AA13D9AB91C6E04292A1D4E635FDD337088CCD8CEBECE9880C5FC67CED53FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.805{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Config.Msi\79c63c.rbsMD5=7633F34135F4FF8332CC248C6C5B8A6F,SHA256=1007F9CDC3AD96B7044EB763944897FA74D1525B0AB19D101FE843662B8387C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.805{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.contrast-white_scale-100.pngMD5=F0FD948F7E9D30F657C55490C70EE327,SHA256=24685CA3546F1F95F9E9BECA29534E134E69B031923E45723558201762BBA147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.805{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.contrast-black_scale-400.pngMD5=1554DD2698B5F2D81445704D4F4C58BA,SHA256=F31EB37B641E0AB8782EF294ADB57D31135E5AAD8838C06F8FDB0A86929E39C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.805{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF6B32565DF77EAADB.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000064834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.805{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF3B47173E7B73097F.TMPMD5=7F742924C0AB1A6E789BDA5D51B6919B,SHA256=99B1AAFDB1FFB894D98610B8ECFC53CAA28E46EDB51F1B1248DC1F55B0E1DAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.795{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.contrast-black_scale-200.pngMD5=A2184C1047A0C1FAB0F465F2355CCF92,SHA256=EB846E01333B2DD4CE1C2AECCBD6D90874F976948B881AA362E13593A254AD70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.795{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF74F0AFB9544D3E54.TMPMD5=BF619EAC0CDF3F68D496EA9344137E8B,SHA256=076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x800000000000000064831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.795{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.contrast-black_scale-150.pngMD5=262B8476753F83B4ABD01017DCDB061F,SHA256=EF6AC1CAA0AEBE3D94BA86856FD69D68F370588A678B1B6F9F90C83B161D87AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.795{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Temp\~DF8281B775B99F38A0.TMPMD5=7F742924C0AB1A6E789BDA5D51B6919B,SHA256=99B1AAFDB1FFB894D98610B8ECFC53CAA28E46EDB51F1B1248DC1F55B0E1DAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.785{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D740164C6ED80F5941E4138670F19C56,SHA256=10CC291EB5425F032D37F3C8F0E363048BCC064107D91879E29361006318F13B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.785{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BE8AAAEAEAB558A7BF858297B07504E6,SHA256=0127C7D39FEAEB64036C5DC7F2A3028E445266697AF60F9DAAE5390E675540A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.775{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.contrast-black_scale-125.pngMD5=F837C5AA1F38D8241B28B92D15EEBE75,SHA256=CC134DAAA737E48E0F37FF5BECE33E23484C47B55CB6571F3283E73E14F54334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.725{43EB4363-55C5-60F5-8808-00000000E501}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\ActionCenterCache\microsoft-explorer-notification--d1f6275c-b9a0-a25e-7f73-51b54487be4c-_8_0.pngMD5=00E5FCFD833151F7CBDE607E2F7AFEB4,SHA256=B80192AAABE007BAECD0603E3CE183E9D554B8A6B0411D20716ACFA086AE3035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.645{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C1-60F5-250B-00000000E501}8116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.635{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C1-60F5-250B-00000000E501}8116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.635{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C1-60F5-250B-00000000E501}8116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.595{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LogoImages\OneDriveMedTile.contrast-black_scale-100.pngMD5=433D5C9BFE71C70E6BF1F18B7DA188F4,SHA256=3BA55B200B58756480679CF8B6B98D7B3570F8DFCDB39186F721357DA8D8172C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.535{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000064820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.535{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000064819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.535{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000064818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.535{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000064817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.535{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000064816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.535{43EB4363-55C4-60F5-7E08-00000000E501}22882120C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.505{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C1-60F5-240B-00000000E501}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.495{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.495{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.485{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000064811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.485{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000064810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.485{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000064809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.485{43EB4363-37B7-60F5-2800-00000000E501}28565152C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000064808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.485{43EB4363-37B7-60F5-2800-00000000E501}28565152C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x800000000000000064807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.472{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57C1-60F5-230B-00000000E501}7140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.455{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.455{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.415{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BE8AAAEAEAB558A7BF858297B07504E6,SHA256=0127C7D39FEAEB64036C5DC7F2A3028E445266697AF60F9DAAE5390E675540A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.415{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE3458BC7DF832D6E327A1249EA212A5,SHA256=9D67A044CAF866E012F979F2A16E296E0F878E00A3FB5FBBCBF150EDFB7F8F43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.375{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-57C1-60F5-220B-00000000E501}2728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.367{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C1-60F5-220B-00000000E501}2728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.367{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}2728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-55C5-60F5-8808-00000000E501}46328152C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-55C5-60F5-8808-00000000E501}46328152C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\system32\twinui.pcshell.dll+27c24|C:\Windows\system32\twinui.pcshell.dll+17316|C:\Windows\system32\twinui.pcshell.dll+17671|C:\Windows\system32\twinui.pcshell.dll+176a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000064795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000064794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.223{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.213{43EB4363-55C4-60F5-7E08-00000000E501}22882120C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000064787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.213{43EB4363-55C4-60F5-7E08-00000000E501}22882120C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000064786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.213{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fc6e|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.213{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3fbe5|C:\Windows\SYSTEM32\twinapi.appcore.dll+2effb|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357b5|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.213{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f0db|C:\Windows\System32\modernexecserver.dll+3f049|C:\Windows\System32\modernexecserver.dll+3fd2f|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.213{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3f6a2|C:\Windows\System32\modernexecserver.dll+3fd1e|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.213{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+3f342|C:\Windows\System32\modernexecserver.dll+3fd0b|C:\Windows\System32\modernexecserver.dll+3fe52|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.213{43EB4363-55C4-60F5-7E08-00000000E501}22888060C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+41bd7|C:\Windows\System32\modernexecserver.dll+3fdee|C:\Windows\SYSTEM32\twinapi.appcore.dll+2efb4|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f0e4|C:\Windows\SYSTEM32\twinapi.appcore.dll+357ab|C:\Windows\SYSTEM32\twinapi.appcore.dll+34ef6|C:\Windows\SYSTEM32\twinapi.appcore.dll+34eb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.213{43EB4363-55C4-60F5-7E08-00000000E501}22882120C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+2f400|C:\Windows\System32\modernexecserver.dll+47a8c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000064779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.213{43EB4363-55C4-60F5-7E08-00000000E501}22882120C:\Windows\system32\sihost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+119d|C:\Windows\System32\modernexecserver.dll+478ab|C:\Windows\System32\modernexecserver.dll+476e0|C:\Windows\System32\modernexecserver.dll+4763b|C:\Windows\System32\modernexecserver.dll+3985d|C:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll+1781|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000064778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.093{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C1-60F5-210B-00000000E501}7492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.083{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.083{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.033{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C1-60F5-200B-00000000E501}1164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.023{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}1164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.023{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}1164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.953{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-1F0B-00000000E501}7716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.943{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.943{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.893{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-1E0B-00000000E501}7920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.883{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.883{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.823{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-1D0B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.813{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.813{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.769{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-1C0B-00000000E501}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.753{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.753{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}5512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.693{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-1B0B-00000000E501}7900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.683{43EB4363-56CD-60F5-F608-00000000E501}7548NT AUTHORITY\SYSTEMC:\Windows\system32\msiexec.exeC:\Windows\Installer\MSI66D1.tmpMD5=6118751E535D295A0FF0057F1333EBC3,SHA256=C8E519FCA14F727EAB10B44C2EC67E45CE9874229DFA7F29DBE77742B2066176,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.683{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.683{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7900C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.633{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-1A0B-00000000E501}4308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.623{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.623{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.593{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDrive.exeMD5=E22475A3A3FD996E6AED8FB344FC1277,SHA256=A1FBD37A3F712E6C90A94C35DB03190D221CB6BDCB33D71DCE3A68DB4E88354B,IMPHASH=0DDE6F6385D4E009D674E84073836363truetrue 10341000x800000000000000064752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.568{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-190B-00000000E501}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.552{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.552{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.493{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-180B-00000000E501}3664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.483{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.483{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3664C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.422{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-170B-00000000E501}7564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.412{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.412{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.365{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-160B-00000000E501}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.342{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.342{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.302{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-150B-00000000E501}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.292{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.292{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.252{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-140B-00000000E501}6956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.232{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.232{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}6956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.192{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-130B-00000000E501}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.182{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.182{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.132{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57C0-60F5-120B-00000000E501}8100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.122{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}8100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.122{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}8100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.971{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BF-60F5-110B-00000000E501}7740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.951{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.951{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7740C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.864{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BF-60F5-100B-00000000E501}6172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.841{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.841{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}6172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.763{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CB5F6E44BF19255C61E05579914795BB,SHA256=53CD872901EA2C0F213AB26912C881C0AA230638A6D3F0E98B5A41E5AF9F61E0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.751{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BF-60F5-0F0B-00000000E501}7788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.741{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.741{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7788C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.711{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.681{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BF-60F5-0E0B-00000000E501}948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.671{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.671{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.665{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=85ACC7B3AE3C1ACEC3CD9718756FEC25,SHA256=4FB225D9432BF4F27EBDB18F0E6F2B6CF44172328F4ADE912011DF1F1DBF2074,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.641{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BF-60F5-0D0B-00000000E501}7444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.631{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.631{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.621{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74F79590C3CB55B9DE7A15FD7FD32C05,SHA256=B16805985250877A3EA83AED5BCA101BAB32F5E005A0D0E68A9AF30E7614BAC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.601{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BF-60F5-0C0B-00000000E501}8080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.581{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}8080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.581{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}8080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.411{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB4A1B57B96916524680C03DBF40745,SHA256=13D68907BDDD309EA2F3DBDDB1EFFD46E42C2547F448A3B1E631594568A0A1D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.391{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BF-60F5-0B0B-00000000E501}4488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.371{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.371{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.338{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BF-60F5-0A0B-00000000E501}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.325{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57BF-60F5-0A0B-00000000E501}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.324{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.255{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BF-60F5-090B-00000000E501}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000064698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:19.252{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\BinProductVersion18.151.729.13 13241300x800000000000000064697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:19.252{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\LinkDate09/17/2018 17:44:14 13241300x800000000000000064696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.251{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\Publishermicrosoft corporation 13241300x800000000000000064695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:19.251{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\LowerCaseLongPathc:\program files\microsoft office\root\integration\addons\onedrivesetup.exe 13241300x800000000000000064694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:19.251{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\BinProductVersion16.0.13127.21668 13241300x800000000000000064693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:19.251{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\LinkDate06/05/2021 06:03:12 13241300x800000000000000064692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.251{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\Publishermicrosoft corporation 13241300x800000000000000064691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:19.251{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\LowerCaseLongPathc:\program files\microsoft office\root\integration\integrator.exe 13241300x800000000000000064690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.251{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00002663d8da354956d1978535c6575c9f8e00000000\PublisherMicrosoft Corporation 13241300x800000000000000064689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:19.244{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mainbootstrap.ex|e0e8217a85996769\BinProductVersion1.0.0.0 13241300x800000000000000064688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:19.244{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mainbootstrap.ex|e0e8217a85996769\LinkDate03/12/2099 03:28:12 13241300x800000000000000064687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.244{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mainbootstrap.ex|e0e8217a85996769\Publisher(Empty) 13241300x800000000000000064686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:19.244{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mainbootstrap.ex|e0e8217a85996769\LowerCaseLongPathc:\programdata\microsoft\defaultpackmsi\mainbootstrap.exe 13241300x800000000000000064685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.243{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\000039d7dda64d42d52d47a8c1ef2de554f100000904\PublisherMicrosoft 13241300x800000000000000064684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:19.235{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstallservice|b474e6e3b02d0a2f\BinProductVersion1.0.0.0 13241300x800000000000000064683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:19.235{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstallservice|b474e6e3b02d0a2f\LinkDate12/02/2073 23:47:04 13241300x800000000000000064682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.234{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstallservice|b474e6e3b02d0a2f\Publisher(Empty) 13241300x800000000000000064681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:19.234{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\uninstallservice|b474e6e3b02d0a2f\LowerCaseLongPathc:\program files (x86)\microsoft\microsoft search in bing\uninstallservice.exe 13241300x800000000000000064680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:19.234{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\removemsbextensi|93cc3e9226dd48dc\BinProductVersion1.0.0.0 13241300x800000000000000064679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:19.234{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\removemsbextensi|93cc3e9226dd48dc\LinkDate04/25/2077 17:19:24 13241300x800000000000000064678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.233{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\removemsbextensi|93cc3e9226dd48dc\Publisher(Empty) 13241300x800000000000000064677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:19.233{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\removemsbextensi|93cc3e9226dd48dc\LowerCaseLongPathc:\program files (x86)\microsoft\microsoft search in bing\removemsbextension.exe 13241300x800000000000000064676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:19.233{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoftsearchi|c0ce89b6d5da1587\BinProductVersion1.0.0.0 13241300x800000000000000064675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:19.233{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoftsearchi|c0ce89b6d5da1587\LinkDate09/17/2080 23:31:16 13241300x800000000000000064674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.233{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoftsearchi|c0ce89b6d5da1587\Publisher(Empty) 13241300x800000000000000064673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:19.233{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\microsoftsearchi|c0ce89b6d5da1587\LowerCaseLongPathc:\program files (x86)\microsoft\microsoft search in bing\microsoftsearchinbing.exe 13241300x800000000000000064672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:19.232{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mainextbootstrap|8c1cfa07cd2269e4\BinProductVersion1.0.0.0 13241300x800000000000000064671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:19.232{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mainextbootstrap|8c1cfa07cd2269e4\LinkDate08/03/2044 21:14:45 13241300x800000000000000064670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.232{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mainextbootstrap|8c1cfa07cd2269e4\Publisher(Empty) 13241300x800000000000000064669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:19.232{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\mainextbootstrap|8c1cfa07cd2269e4\LowerCaseLongPathc:\program files (x86)\microsoft\microsoft search in bing\mainextbootstrap.exe 13241300x800000000000000064668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:19.232{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\extensionnativeh|84dfb41629fd8d14\BinProductVersion1.0.0.0 13241300x800000000000000064667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:19.232{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\extensionnativeh|84dfb41629fd8d14\LinkDate03/16/2053 06:17:47 13241300x800000000000000064666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.232{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\extensionnativeh|84dfb41629fd8d14\Publisher(Empty) 13241300x800000000000000064665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:19.232{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\extensionnativeh|84dfb41629fd8d14\LowerCaseLongPathc:\program files (x86)\microsoft\microsoft search in bing\extensionnativehost.exe 13241300x800000000000000064664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.231{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\0000e69baca32582bf26aefc45ba1980a48700000904\PublisherMicrosoft Corporation 10341000x800000000000000064663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.230{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57BF-60F5-090B-00000000E501}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.229{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BF-60F5-090B-00000000E501}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000064661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:19.222{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\BinProductVersion14.28.29913.0 13241300x800000000000000064660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:19.222{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\LinkDate11/18/2017 21:37:28 13241300x800000000000000064659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.221{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\Publishermicrosoft corporation 13241300x800000000000000064658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:19.221{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\vc_redist.x64.ex|b72113d8ab25b2ea\LowerCaseLongPathc:\programdata\package cache\{855e31d2-9031-46e1-b06d-c9d7777deefb}\vc_redist.x64.exe 13241300x800000000000000064657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.214{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\0000a0119b997e1ff1f405659fca10378fff0000ffff\PublisherMicrosoft Corporation 13241300x800000000000000064656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:19.202{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\teams.exe|5aad1169f41a3221\BinProductVersion1.4.0.7174 13241300x800000000000000064655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:19.202{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\teams.exe|5aad1169f41a3221\LinkDate10/02/2020 12:48:24 13241300x800000000000000064654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.202{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\teams.exe|5aad1169f41a3221\Publishermicrosoft corporation 13241300x800000000000000064653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:19.202{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\teams.exe|5aad1169f41a3221\LowerCaseLongPathc:\program files (x86)\teams installer\teams.exe 13241300x800000000000000064652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.202{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00003e220441f00ee97acf2a0436ab623d7d00000904\PublisherMicrosoft Corporation 13241300x800000000000000064651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:19.175{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00002c936e41bc0769c6acad68393b5d5ed700000904\PublisherAmazon Web Services Developer Relations 10341000x800000000000000064650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.071{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BF-60F5-080B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.058{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BF-60F5-080B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.057{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:19.016{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-070B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.998{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BE-60F5-070B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.998{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BE-60F5-070B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.922{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-060B-00000000E501}7964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.912{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.912{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.845{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-050B-00000000E501}6184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.822{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.822{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}6184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.622{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-040B-00000000E501}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.602{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.602{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.562{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-030B-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.552{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.552{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.512{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-020B-00000000E501}5500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.492{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}5500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.492{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}5500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.447{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-010B-00000000E501}2728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.432{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.432{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}2728C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.392{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-000B-00000000E501}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.382{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.382{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7760C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.321{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-FF0A-00000000E501}96C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.311{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57BE-60F5-FF0A-00000000E501}96C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.301{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}96C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000064620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.244{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\amazonssmagentse|214dacabb5094259\BinProductVersion3.0.1124.0 13241300x800000000000000064619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.244{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\amazonssmagentse|214dacabb5094259\LinkDate05/01/2017 14:33:52 13241300x800000000000000064618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.244{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\amazonssmagentse|214dacabb5094259\Publisheramazon web services 13241300x800000000000000064617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.244{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\amazonssmagentse|214dacabb5094259\LowerCaseLongPathc:\programdata\package cache\{20b0b626-5984-4e9d-8bec-73647e598358}\amazonssmagentsetup.exe 13241300x800000000000000064616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.243{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00001fc069108c4df3a9cc9129e0e8110d790000ffff\PublisherAmazon Web Services 10341000x800000000000000064615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.221{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-FE0A-00000000E501}7920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.211{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}7920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.211{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}7920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.201{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000064611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.171{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\BinProductVersion2.0.6.0 13241300x800000000000000064610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.171{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\LinkDate09/17/2019 05:33:38 13241300x800000000000000064609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.171{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\Publisheramazon web services 13241300x800000000000000064608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.171{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\aws-cfn-bootstra|65c81b6df64de18d\LowerCaseLongPathc:\programdata\package cache\{09259595-ce26-4705-b47e-59d9e3ccebb9}\aws-cfn-bootstrap-bundle.exe 13241300x800000000000000064607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.171{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\0000a32b64966830ad0100b29547ca5511020000ffff\PublisherAmazon Web Services 10341000x800000000000000064606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.151{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-FD0A-00000000E501}3180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.140{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57BE-60F5-FD0A-00000000E501}3180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.140{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57BE-60F5-FD0A-00000000E501}3180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000064603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.095{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00000bc19da022eb94eca75a727b615c201e00000904\PublisherMicrosoft Corporation 13241300x800000000000000064602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\BinProductVersion(Empty) 13241300x800000000000000064601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\LinkDate01/01/1970 00:00:00 13241300x800000000000000064600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\Publisher(Empty) 13241300x800000000000000064599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.086{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\ssm-agent-worker|7d818f178f6c8fa8\LowerCaseLongPathc:\program files\amazon\ssm\ssm-agent-worker.exe 13241300x800000000000000064598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.085{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplication\00001fc069108c4df3a9cc9129e0e8110d7900000904\PublisherAmazon Web Services 10341000x800000000000000064597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.069{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57BE-60F5-FC0A-00000000E501}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.057{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57BE-60F5-FC0A-00000000E501}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:18.057{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000064594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\BinProductVersion(Empty) 13241300x800000000000000064593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\LinkDate01/10/2020 01:30:07 13241300x800000000000000064592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\Publisher(Empty) 13241300x800000000000000064591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\srm.exe|928901d4ccf4225c\LowerCaseLongPathc:\program files\splunkuniversalforwarder\bin\srm.exe 13241300x800000000000000064590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\BinProductVersion10.0.10011.16384 13241300x800000000000000064589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:18.040{43EB4363-579F-60F5-BB0A-00000000E501}6916C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{4edb2ecb-ea40-0bdd-7641-4ef4e6001976}\Root\InventoryApplicationFile\splunkmonitornoh|e59d09056446ab10\LinkDate10/02/2019 17:37:14 23542300x800000000000000028931Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:21.718{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D0CBC15383FB7BB208139333C02C62,SHA256=79BA31C2A3D0F0613E41E8B869A9177BF5A8823DF9095B145C564AF499CF1FF0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000028930Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:45:21.656{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000028929Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:45:21.656{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00754c61) 13241300x800000000000000028928Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:45:21.656{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c82-0xca577da1) 13241300x800000000000000028927Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:45:21.656{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8b-0x2c1be5a1) 13241300x800000000000000028926Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:45:21.656{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c93-0x8de04da1) 13241300x800000000000000028925Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:45:21.656{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000028924Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:45:21.656{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00754c61) 13241300x800000000000000028923Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:45:21.656{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c82-0xca577da1) 13241300x800000000000000028922Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:45:21.656{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8b-0x2c1be5a1) 13241300x800000000000000028921Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:45:21.656{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c93-0x8de04da1) 23542300x800000000000000028920Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:21.390{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.826{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-330B-00000000E501}5048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.816{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-330B-00000000E501}5048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.816{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-330B-00000000E501}5048C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000065010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:20.666{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local58267- 10341000x800000000000000065009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.776{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-320B-00000000E501}7964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.774{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-320B-00000000E501}7964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.774{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-320B-00000000E501}7964C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.716{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-310B-00000000E501}8108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.706{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-310B-00000000E501}8108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.706{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-310B-00000000E501}8108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.676{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-300B-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.673{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-300B-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.672{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-300B-00000000E501}7696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.636{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-2F0B-00000000E501}5440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.626{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-2F0B-00000000E501}5440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.626{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-2F0B-00000000E501}5440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.586{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-2E0B-00000000E501}7356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.576{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-2E0B-00000000E501}7356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.576{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-2E0B-00000000E501}7356C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.546{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-2D0B-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.536{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-2D0B-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.536{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-2D0B-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.486{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-2C0B-00000000E501}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.476{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-2C0B-00000000E501}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.476{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-2C0B-00000000E501}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.446{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-2B0B-00000000E501}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.436{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-2B0B-00000000E501}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.436{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-2B0B-00000000E501}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.416{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-2A0B-00000000E501}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000064984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.406{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F69981EB63CA0828D7C8FE2D4081AFF1,SHA256=F4DF6602335881EC6E1AB1B9E1257346DCD6A1E1FAED2BA8DA246606E0A5A1BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.406{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=751F4E746A5E940B4AAFF9DEC04033D7,SHA256=22EA8EE28CDA96985E74F199CA73B4DFB396C1FA144F3AFBE1873878CE8F8397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000064982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.406{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=42C21D5C8917E37B92250D07284717E8,SHA256=A65CDBB7952AFE7997419C7D502F017AFE42DF826371797FCB8BD442248F6961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000064981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.396{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-2A0B-00000000E501}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.396{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-2A0B-00000000E501}6644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.355{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-290B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.345{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-290B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.345{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-290B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.275{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-280B-00000000E501}5128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.264{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-280B-00000000E501}5128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.264{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-280B-00000000E501}5128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.206{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C2-60F5-270B-00000000E501}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.196{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C2-60F5-270B-00000000E501}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000064971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.196{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C2-60F5-270B-00000000E501}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.116{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000064969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10532021-07-19 10:45:22.096{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-4085236968-3260266398-3930693997-5002021-07-19 10:45:22.096 13241300x800000000000000064968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive7\(Default){C5FF006E-2AE9-408C-B85B-2DFDD5449D9C} 13241300x800000000000000064967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive6\(Default){9AA2F32D-362A-42D9-9328-24A483E2CCC3} 13241300x800000000000000064966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive5\(Default){A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} 13241300x800000000000000064965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive4\(Default){F241C880-6982-4CE5-8CF7-7085BA96DA5A} 13241300x800000000000000064964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive3\(Default){A78ED123-AB77-406B-9962-2A5D9D2F7F30} 13241300x800000000000000064963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive2\(Default){5AB7172C-9C11-405C-8DD5-AF20F3606282} 13241300x800000000000000064962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ OneDrive1\(Default){BBACC218-34EA-4666-9D7A-C78F2274A524} 13241300x800000000000000064961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\UrlUpdateInfohttp://go.microsoft.com/fwlink/?LinkID=223554 13241300x800000000000000064960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\UrlUpdateInfohttp://go.microsoft.com/fwlink/?LinkID=223554 13241300x800000000000000064959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OneDriveSetup.exe\PublisherMicrosoft Corporation 10341000x800000000000000064958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+9b84e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba 10341000x800000000000000064957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+9b84e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba 10341000x800000000000000064956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+9b84e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3 10341000x800000000000000064955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+9b84e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6 10341000x800000000000000064954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+9b83e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba 10341000x800000000000000064953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+9b83e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba 10341000x800000000000000064952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+9b83e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3 10341000x800000000000000064951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+9b83e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6 10341000x800000000000000064950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1e3dfa(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\windows.storage.dll+9b83e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e285b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+df7ba 10341000x800000000000000064949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1e3dec(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\windows.storage.dll+9b83e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6 10341000x800000000000000064948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.086{43EB4363-57A1-60F5-C80A-00000000E501}4100360C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1e3dec(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\windows.storage.dll+9b83e(wow64)|C:\Windows\System32\windows.storage.dll+9b6cb(wow64)|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca460|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+ca82b|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+cf8e3|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+de6e6|C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exe+e6a52 11241100x800000000000000064947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT10232021-07-19 10:45:22.075{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk2021-07-19 10:45:22.075 534500x800000000000000064946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.069{43EB4363-57C1-60F5-260B-00000000E501}6344C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe 10341000x800000000000000064945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.066{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1764d9(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\shlwapi.dll+29a9e(wow64)|C:\Windows\System32\SHELL32.dll+2406b7(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10139|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+ff75|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1199d|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+227d9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000064944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.066{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+17645a(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\shlwapi.dll+29a9e(wow64)|C:\Windows\System32\SHELL32.dll+2406b7(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10139|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+ff75|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1199d|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+227d9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000064943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.066{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\shlwapi.dll+29a9e(wow64)|C:\Windows\System32\SHELL32.dll+2406b7(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10139|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+ff75|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1199d 10341000x800000000000000064942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.066{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\shlwapi.dll+29a9e(wow64)|C:\Windows\System32\SHELL32.dll+2406b7(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10139|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+ff75|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1199d|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e 10341000x800000000000000064941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.065{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1764d9(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\shlwapi.dll+29a9e(wow64)|C:\Windows\System32\windows.storage.dll+2a808f(wow64)|C:\Windows\System32\windows.storage.dll+fd72f(wow64)|C:\Windows\System32\SHELL32.dll+24077c(wow64)|C:\Windows\System32\SHELL32.dll+2409e9(wow64)|C:\Windows\System32\SHELL32.dll+24067d(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10139|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+ff75|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1199d 10341000x800000000000000064940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.065{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+17645a(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\shlwapi.dll+29a9e(wow64)|C:\Windows\System32\windows.storage.dll+2a808f(wow64)|C:\Windows\System32\windows.storage.dll+fd72f(wow64)|C:\Windows\System32\SHELL32.dll+24077c(wow64)|C:\Windows\System32\SHELL32.dll+2409e9(wow64)|C:\Windows\System32\SHELL32.dll+24067d(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10139|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+ff75|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1199d 10341000x800000000000000064939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.065{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\shlwapi.dll+29a9e(wow64)|C:\Windows\System32\windows.storage.dll+2a808f(wow64)|C:\Windows\System32\windows.storage.dll+fd72f(wow64)|C:\Windows\System32\SHELL32.dll+24077c(wow64)|C:\Windows\System32\SHELL32.dll+2409e9(wow64) 10341000x800000000000000064938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.065{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Windows\System32\shlwapi.dll+29a9e(wow64)|C:\Windows\System32\windows.storage.dll+2a808f(wow64)|C:\Windows\System32\windows.storage.dll+fd72f(wow64)|C:\Windows\System32\SHELL32.dll+24077c(wow64)|C:\Windows\System32\SHELL32.dll+2409e9(wow64)|C:\Windows\System32\SHELL32.dll+24067d(wow64) 10341000x800000000000000064937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1764d9(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10fe5|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+227d9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+17645a(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10fe5|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+227d9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10fe5|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e 10341000x800000000000000064934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10fe5|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e 10341000x800000000000000064933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1764d9(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10fa1|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+227d9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+17645a(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10fa1|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+227d9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10fa1|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e 10341000x800000000000000064930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10fa1|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e 10341000x800000000000000064929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+1764d9(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10f69|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+227d9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\SHELL32.dll+17645a(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10f69|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+227d9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000064927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10f69|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e 10341000x800000000000000064926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+176445(wow64)|C:\Windows\System32\SHELL32.dll+175fec(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10f69|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e 10341000x800000000000000064925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\SHELL32.dll+1993c0(wow64)|C:\Windows\System32\SHELL32.dll+17611f(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10f69|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+227d9|C:\Windows\System32\KERNEL32.DLL+162c4(wow64) 10341000x800000000000000064924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+1993b2(wow64)|C:\Windows\System32\SHELL32.dll+17611f(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10f69|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e 10341000x800000000000000064923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.055{43EB4363-57C1-60F5-260B-00000000E501}63446640C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c69b8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\SHELL32.dll+1993b2(wow64)|C:\Windows\System32\SHELL32.dll+17611f(wow64)|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+9edb|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10d85|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+10f69|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1191e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+11f2e|C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe+1b2e 10341000x800000000000000064922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.045{43EB4363-37A7-60F5-1600-00000000E501}1272564C:\Windows\system32\svchost.exe{43EB4363-57C1-60F5-260B-00000000E501}6344C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000064921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.045{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-57C1-60F5-260B-00000000E501}6344C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncConfig.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000064920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:45:22.045{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\odopen\shell\open\command\(Default)"C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /url:"%%1" 13241300x800000000000000064919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:45:22.045{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\odopen\shell\open\command\(Default)"C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /url:"%%1" 13241300x800000000000000064918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.045{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileCoAuthLib64.dll 13241300x800000000000000064917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.045{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{4410DC33-BC7C-496B-AA84-4AEA3EEE75F7}\InProcServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuthLib.dll 13241300x800000000000000064916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x800000000000000064915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x800000000000000064914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x800000000000000064913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\IE.AssocFile.URL\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x800000000000000064912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x800000000000000064911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\Directory\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x800000000000000064910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x800000000000000064909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\Directory\Background\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x800000000000000064908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\*\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x800000000000000064907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\*\shellex\ContextMenuHandlers\ FileSyncEx\(Default){CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B} 13241300x800000000000000064906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.035{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 13241300x800000000000000064904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 13241300x800000000000000064902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 13241300x800000000000000064900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 13241300x800000000000000064898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 13241300x800000000000000064896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{9AA2F32D-362A-42D9-9328-24A483E2CCC3}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 13241300x800000000000000064894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 13241300x800000000000000064892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 13241300x800000000000000064890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{A78ED123-AB77-406B-9962-2A5D9D2F7F30}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 13241300x800000000000000064888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{5AB7172C-9C11-405C-8DD5-AF20F3606282}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 13241300x800000000000000064886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileSyncShell.dll 13241300x800000000000000064885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1122SetValue2021-07-19 10:45:22.025{43EB4363-57A1-60F5-C80A-00000000E501}4100C:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\(Default)C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\amd64\FileSyncShell64.dll 23542300x800000000000000028932Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:22.729{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E085CB8A9695557C56753D39AA3E0B,SHA256=5538398EBE78B7ED8983D8FA545935DF0C5FF916FE1BE2A0CFD3D9F545720BEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.888{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C3-60F5-3C0B-00000000E501}7748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.878{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C3-60F5-3C0B-00000000E501}7748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.878{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C3-60F5-3C0B-00000000E501}7748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.848{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C3-60F5-3B0B-00000000E501}7188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.828{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C3-60F5-3B0B-00000000E501}7188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.828{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C3-60F5-3B0B-00000000E501}7188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000065041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.203{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65125-false52.114.128.71-443https 354300x800000000000000065040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.197{43EB4363-57A1-60F5-C60A-00000000E501}7676C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65124-false52.114.128.71-443https 354300x800000000000000065039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:21.988{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000065038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.728{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C3-60F5-3A0B-00000000E501}7060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.718{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C3-60F5-3A0B-00000000E501}7060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.718{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C3-60F5-3A0B-00000000E501}7060C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.627{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C3-60F5-390B-00000000E501}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.617{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C3-60F5-390B-00000000E501}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.617{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C3-60F5-390B-00000000E501}3700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.577{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C3-60F5-380B-00000000E501}968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.558{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C3-60F5-380B-00000000E501}968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.558{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C3-60F5-380B-00000000E501}968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.427{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C3-60F5-370B-00000000E501}4864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.397{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1683053F2F7015EDA753DE01B53886B6,SHA256=BC3A42DF64D4F9567333DA8AED154526DA3628C6300843047EA31B65B66204DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.397{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C3-60F5-370B-00000000E501}4864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.397{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C3-60F5-370B-00000000E501}4864C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.327{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C3-60F5-360B-00000000E501}7920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.317{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C3-60F5-360B-00000000E501}7920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.317{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C3-60F5-360B-00000000E501}7920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.247{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C3-60F5-350B-00000000E501}3504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.237{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C3-60F5-350B-00000000E501}3504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.237{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C3-60F5-350B-00000000E501}3504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.197{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CFC1AE7C6E1CD7699666D7DDE47E94DD,SHA256=FB6C5C63482B9E6E418F7A3826A0AC2AF8B8EDF334DB9D302176D41FFBD1EA57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.197{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74B17B0383BF0BE93A3DBD806A6265F,SHA256=A174D895CDD48746F62BAABEA1A3D054E2CDFE3C1CBD2BD4DFFE6B5C097E48A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.197{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F69981EB63CA0828D7C8FE2D4081AFF1,SHA256=F4DF6602335881EC6E1AB1B9E1257346DCD6A1E1FAED2BA8DA246606E0A5A1BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.027{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C3-60F5-340B-00000000E501}6172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.017{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C3-60F5-340B-00000000E501}6172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:23.017{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C3-60F5-340B-00000000E501}6172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028935Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:23.745{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=827F622826D223D5F5245784254B8EC3,SHA256=C5135EAEA37AF22D82432C24B807FEBD261077CC5C27FACA11ECB99AC360EB65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028934Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:21.258{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000028933Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:20.929{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000065098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.879{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-4C0B-00000000E501}7976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.859{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-4C0B-00000000E501}7976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.859{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-4C0B-00000000E501}7976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.829{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-4B0B-00000000E501}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000065094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:22.945{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65126-false52.114.76.34-443https 10341000x800000000000000065093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.819{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-4B0B-00000000E501}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.819{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-4B0B-00000000E501}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.779{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-4A0B-00000000E501}7180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.772{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4D93A7E415D2473B3564065638D5164,SHA256=F1906848B98160CCAF4B06CB198B91E06DD58B5DE46FAD4C9E9D1C0170D907D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.770{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-4A0B-00000000E501}7180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.770{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-4A0B-00000000E501}7180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.729{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-490B-00000000E501}7936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.719{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-490B-00000000E501}7936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000065085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.719{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ED55B0489B2A447F6687CA8868C98A9E,SHA256=105DB2CE1B135597315487BC66419633E770444880C45D8483DB00A5938D4437,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.719{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-490B-00000000E501}7936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.679{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-480B-00000000E501}5500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.673{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-480B-00000000E501}5500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.672{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-480B-00000000E501}5500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.609{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-470B-00000000E501}7492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.599{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-470B-00000000E501}7492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.599{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-470B-00000000E501}7492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.558{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-460B-00000000E501}644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.548{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-460B-00000000E501}644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.548{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-460B-00000000E501}644C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.476{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-450B-00000000E501}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.458{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-450B-00000000E501}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.458{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-450B-00000000E501}6988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.428{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-440B-00000000E501}7512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.418{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-440B-00000000E501}7512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.418{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-440B-00000000E501}7512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.378{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-430B-00000000E501}3504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.358{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-430B-00000000E501}3504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.358{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-430B-00000000E501}3504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.328{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-420B-00000000E501}8180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.318{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-420B-00000000E501}8180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.318{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-420B-00000000E501}8180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.288{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-410B-00000000E501}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.278{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-410B-00000000E501}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.278{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-410B-00000000E501}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.228{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-400B-00000000E501}7940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.218{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-400B-00000000E501}7940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.218{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-400B-00000000E501}7940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.178{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-3F0B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.158{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-3F0B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.158{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-3F0B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.118{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-3E0B-00000000E501}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.108{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-3E0B-00000000E501}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.108{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-3E0B-00000000E501}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.078{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C4-60F5-3D0B-00000000E501}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.048{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C4-60F5-3D0B-00000000E501}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.048{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C4-60F5-3D0B-00000000E501}5716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028936Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:24.745{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9CA096B536935E3257098D7E8DC621,SHA256=C11B2464E9D1A2F01927489778C69CAD464994C4EF26DB2D1A4BE9FC7035F01A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.979{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-5B0B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.960{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-5B0B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.960{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-5B0B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.877{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-5A0B-00000000E501}7976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.860{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-5A0B-00000000E501}7976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.860{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-5A0B-00000000E501}7976C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.830{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-590B-00000000E501}7668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.820{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-590B-00000000E501}7668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.820{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-590B-00000000E501}7668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.780{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-580B-00000000E501}8108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.778{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-580B-00000000E501}8108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.778{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-580B-00000000E501}8108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.740{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-570B-00000000E501}7936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.720{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-570B-00000000E501}7936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.720{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-570B-00000000E501}7936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.680{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-560B-00000000E501}5440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.676{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-560B-00000000E501}5440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.676{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-560B-00000000E501}5440C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.640{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-550B-00000000E501}7564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.620{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-550B-00000000E501}7564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.620{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-550B-00000000E501}7564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.600{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-540B-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.590{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-540B-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.590{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-540B-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.540{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-530B-00000000E501}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.540{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA0187D64D2BE62919C5BEF39F898001,SHA256=EDC175B50E7A37DCFF485973FA68BD2C9A74EE50502797390BCD7EFCEA38F00B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.530{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-530B-00000000E501}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.530{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-530B-00000000E501}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.500{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-520B-00000000E501}3988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.490{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-520B-00000000E501}3988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.490{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-520B-00000000E501}3988C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.460{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-510B-00000000E501}348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.450{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-510B-00000000E501}348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.450{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-510B-00000000E501}348C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.410{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-500B-00000000E501}8180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.400{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-500B-00000000E501}8180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.400{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-500B-00000000E501}8180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.349{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-4F0B-00000000E501}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.339{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-4F0B-00000000E501}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.339{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-4F0B-00000000E501}5448C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.299{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-4E0B-00000000E501}7940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.289{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-4E0B-00000000E501}7940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.289{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-4E0B-00000000E501}7940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.249{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C5-60F5-4D0B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.239{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C5-60F5-4D0B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:25.239{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C5-60F5-4D0B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:24.999{43EB4363-55C5-60F5-8808-00000000E501}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.dbMD5=54D3304BA64DD09281A5D32E01C97B2F,SHA256=BDE7C425AD5501DC66AA3B79D51878C6A30D6526BCED4508747051FD78A3DDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028937Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:25.760{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3D6E1FA6D5507613668C4806227D35,SHA256=E9FAA5C93439789347525AB356459AAF31B2C91AC308E42C5861429142D7C9AC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.961{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-670B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.951{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-670B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.951{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-670B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.911{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-660B-00000000E501}6184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.901{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-660B-00000000E501}6184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.901{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-660B-00000000E501}6184C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.842{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-650B-00000000E501}6640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.831{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-650B-00000000E501}6640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.831{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-650B-00000000E501}6640C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.791{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-640B-00000000E501}7180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.781{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-640B-00000000E501}7180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.781{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-640B-00000000E501}7180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.721{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-630B-00000000E501}7824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.711{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-630B-00000000E501}7824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.711{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-630B-00000000E501}7824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.677{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-620B-00000000E501}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.661{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-620B-00000000E501}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.661{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-620B-00000000E501}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.601{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-610B-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.591{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-610B-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.591{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-610B-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.541{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-600B-00000000E501}7816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.531{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-600B-00000000E501}7816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.531{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-600B-00000000E501}7816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.481{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-5F0B-00000000E501}7464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.461{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-5F0B-00000000E501}7464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.461{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-5F0B-00000000E501}7464C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.391{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-5E0B-00000000E501}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.381{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-5E0B-00000000E501}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.381{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-5E0B-00000000E501}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.275{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-5D0B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.261{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-5D0B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.261{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-5D0B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.221{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C6-60F5-5C0B-00000000E501}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.211{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C6-60F5-5C0B-00000000E501}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.211{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C6-60F5-5C0B-00000000E501}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028938Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:26.932{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C965F203FD5F7EEEE9D9550530CA8849,SHA256=332C2B757CE5AFE9E7B787DC4F3336875A20F0A8F6B8B9475E797C5CE38B1A87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.943{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-720B-00000000E501}340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.933{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-720B-00000000E501}340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.933{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-720B-00000000E501}340C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.913{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81A9D9841FDEA32596CC4799DE416160,SHA256=51F054D4F90FB7E3253AEFF687785E9C6A350828C330EFAD9CC5E53A8EB90696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.878{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-710B-00000000E501}7824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.863{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-710B-00000000E501}7824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.863{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-710B-00000000E501}7824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.813{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-700B-00000000E501}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.803{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-700B-00000000E501}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.803{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-700B-00000000E501}6556C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.753{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-6F0B-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.743{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-6F0B-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.743{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-6F0B-00000000E501}7312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.632{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-6E0B-00000000E501}7816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.622{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-6E0B-00000000E501}7816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.622{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-6E0B-00000000E501}7816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.563{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-6D0B-00000000E501}7912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.542{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-6D0B-00000000E501}7912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.542{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-6D0B-00000000E501}7912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.442{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-6C0B-00000000E501}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.422{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-6C0B-00000000E501}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.422{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-6C0B-00000000E501}6916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.392{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-6B0B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.379{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-6B0B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.379{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-6B0B-00000000E501}6176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.312{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-6A0B-00000000E501}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.292{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-6A0B-00000000E501}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.292{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-6A0B-00000000E501}1384C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.192{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-690B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.182{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-690B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.182{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-690B-00000000E501}6660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.112{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=502C60261F8DEC03A03A184966B2F301,SHA256=ADDA9C7E8EB96B11CC875872E067EF1868684EDD457142A0F753210D1DE95556,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.102{43EB4363-55C5-60F5-8808-00000000E501}4632ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000017.dbMD5=C0E79D961FC84D98F2989F4F6D1FB6C2,SHA256=D70A34965D7FBCDE2EBA51B0E77C7EC0B0F4FAB3E71B1322056D23BBA8047DB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.032{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C7-60F5-680B-00000000E501}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.022{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C7-60F5-680B-00000000E501}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:27.022{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C7-60F5-680B-00000000E501}6848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.945{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-7D0B-00000000E501}7984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.935{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-7D0B-00000000E501}7984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.935{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-7D0B-00000000E501}7984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.895{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-7C0B-00000000E501}7580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.878{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-7C0B-00000000E501}7580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.878{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-7C0B-00000000E501}7580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000065246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:26.995{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000065245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.814{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-7B0B-00000000E501}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.794{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-7B0B-00000000E501}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.794{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-7B0B-00000000E501}7928C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.794{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=890800180579C02E313A20C38F93FC1E,SHA256=E65F0B86084935BA02D2812BAC24000B6E0810D7745808CD9F4C055522CB0A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.744{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-7A0B-00000000E501}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.724{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-7A0B-00000000E501}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.724{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-7A0B-00000000E501}6628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.664{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-790B-00000000E501}8188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.644{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-790B-00000000E501}8188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.644{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-790B-00000000E501}8188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.544{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-780B-00000000E501}7716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.514{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-780B-00000000E501}7716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.514{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-780B-00000000E501}7716C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.413{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-770B-00000000E501}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.393{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-770B-00000000E501}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.393{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-770B-00000000E501}7268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.323{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-760B-00000000E501}6248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.313{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-760B-00000000E501}6248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.313{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-760B-00000000E501}6248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.280{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-750B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.263{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-750B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.263{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-750B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.103{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-740B-00000000E501}8116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.093{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-740B-00000000E501}8116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.093{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-740B-00000000E501}8116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.033{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C8-60F5-730B-00000000E501}5224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.023{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C8-60F5-730B-00000000E501}5224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:28.023{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C8-60F5-730B-00000000E501}5224C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028940Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:28.057{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9455459A7991CF4DFB857B4559F68A,SHA256=181BFADB547D638795DC9BAC4898FB0474A21EBECD878A1D2B78D6402336C508,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028939Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:26.096{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000065299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.983{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-8C0B-00000000E501}7308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.969{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-8C0B-00000000E501}7308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.969{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-8C0B-00000000E501}7308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.939{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-8B0B-00000000E501}852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.919{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-8B0B-00000000E501}852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.919{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-8B0B-00000000E501}852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.879{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-8A0B-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.859{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-8A0B-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.859{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-8A0B-00000000E501}7808C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.809{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-890B-00000000E501}7912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.765{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-890B-00000000E501}7912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.765{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-890B-00000000E501}7912C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.729{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-880B-00000000E501}8188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.719{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-880B-00000000E501}8188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.719{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-880B-00000000E501}8188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.683{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-870B-00000000E501}8180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.669{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-870B-00000000E501}8180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.669{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-870B-00000000E501}8180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.649{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF57FB2313EB42416027A592FB3A24B6,SHA256=E839AEE92604109E5CE29A7B36958A52571C4663DC6002A09131DF465E05D10B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.629{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-860B-00000000E501}7660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.619{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-860B-00000000E501}7660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.619{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-860B-00000000E501}7660C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.599{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88D28FEB2961C15AEBA091F4AAC3613,SHA256=D477938328E82FD0E88D3F69251A4C381BE040215BD44F0A49DD644C37725AE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.586{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-850B-00000000E501}2496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.569{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-850B-00000000E501}2496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.569{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-850B-00000000E501}2496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.539{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-840B-00000000E501}3180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.529{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-840B-00000000E501}3180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.529{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-840B-00000000E501}3180C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.487{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-830B-00000000E501}7500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.469{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-830B-00000000E501}7500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.469{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-830B-00000000E501}7500C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.439{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-820B-00000000E501}6612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.429{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-820B-00000000E501}6612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.429{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-820B-00000000E501}6612C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.349{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-810B-00000000E501}7552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.339{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-810B-00000000E501}7552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.339{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-810B-00000000E501}7552C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.268{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-800B-00000000E501}4308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.248{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-800B-00000000E501}4308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.248{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-800B-00000000E501}4308C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.180{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-7F0B-00000000E501}5172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.157{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-7F0B-00000000E501}5172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.157{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-7F0B-00000000E501}5172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.014{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57C9-60F5-7E0B-00000000E501}7188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.004{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57C9-60F5-7E0B-00000000E501}7188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:29.004{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57C9-60F5-7E0B-00000000E501}7188C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028941Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:29.138{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A253871756BEA6911A800148056C091,SHA256=7C10A837772A48D4203296349D49765037B34FE8127A6A4A6D652C2A0ECEA975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.660{43EB4363-57CA-60F5-940B-00000000E501}2496NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\XI5WVS91EW\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll.auxMD5=9F75508160F360FDAE9DC18CA115C550,SHA256=8D55BEB1B5C696654355C1445FC69699EBD4FE774AE9D3B9A6EB7F09278DDBC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.660{43EB4363-57CA-60F5-940B-00000000E501}2496NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\XI5WVS91EW\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dllMD5=07FB8058869128125C56F0BB5193D848,SHA256=FF0C1A1D5020F4FE33DBBD39CBB92A94E0BEE65E8A29A86DB4EBC6347B0F5C96,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000065323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.530{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57CA-60F5-940B-00000000E501}2496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.500{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CA-60F5-940B-00000000E501}2496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.500{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57CA-60F5-940B-00000000E501}2496C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+315bb|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+31318|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+31229|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1215e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+f549|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74dc|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.420{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57CA-60F5-930B-00000000E501}5128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.410{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CA-60F5-930B-00000000E501}5128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.410{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57CA-60F5-930B-00000000E501}5128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.360{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57CA-60F5-920B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.350{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CA-60F5-920B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.350{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57CA-60F5-920B-00000000E501}504C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.310{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57CA-60F5-910B-00000000E501}8116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.290{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CA-60F5-910B-00000000E501}8116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.290{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57CA-60F5-910B-00000000E501}8116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.219{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57CA-60F5-900B-00000000E501}7724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.189{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CA-60F5-900B-00000000E501}7724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.189{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57CA-60F5-900B-00000000E501}7724C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.149{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57CA-60F5-8F0B-00000000E501}4192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.139{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CA-60F5-8F0B-00000000E501}4192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.139{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57CA-60F5-8F0B-00000000E501}4192C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.089{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57CA-60F5-8E0B-00000000E501}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.069{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CA-60F5-8E0B-00000000E501}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.069{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57CA-60F5-8E0B-00000000E501}2580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.029{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-57CA-60F5-8D0B-00000000E501}7948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.019{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CA-60F5-8D0B-00000000E501}7948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:30.019{43EB4363-5784-60F5-320A-00000000E501}74687256C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{43EB4363-57CA-60F5-8D0B-00000000E501}7948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+3965|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+aafe|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a457|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a19d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a055|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+77c6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d26|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9828|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+74ce|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+7395|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2bd9|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8c07|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2130|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f0f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+29e1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2969|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028942Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:30.360{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F6ADD24333161830CDB11672170C46A,SHA256=4FC35FF775F9F052FB608CA94163D6035BD31DE1C918924E8B474BF0FDC21ADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.885{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CB-60F5-980B-00000000E501}7492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.862{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CB-60F5-980B-00000000E501}7492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.862{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CB-60F5-980B-00000000E501}7492C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.832{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CB-60F5-970B-00000000E501}8172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.802{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CB-60F5-970B-00000000E501}8172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.802{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CB-60F5-970B-00000000E501}8172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.561{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-5784-60F5-350A-00000000E501}6060C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.561{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CB-60F5-960B-00000000E501}7880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.471{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F3CA597FC4A10E56DDDA80F1C76224,SHA256=9F1D6E8762BB79FF4CFA2440DB41B082E3186804CE14CD3333DBEF9ECD6D8716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.391{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5632E5444054CB7236073EFDE6562ED0,SHA256=2353A2362B8B231275F350316BFAB33C6ABE4D086DE4D7A275669B68453B3F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.391{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92E7AC4ED76AF34BEDD770A2574D5630,SHA256=D2EA21BB526864D935908C8BE1C0BDD882A4A19125D74E7590D095CCB22E3CED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.385{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CB-60F5-960B-00000000E501}7880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.385{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CB-60F5-960B-00000000E501}7880C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.371{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-5774-60F5-1F09-00000000E501}6196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.331{43EB4363-37A5-60F5-0B00-00000000E501}6241128C:\Windows\system32\lsass.exe{43EB4363-57CB-60F5-950B-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.321{43EB4363-37A5-60F5-0B00-00000000E501}6241128C:\Windows\system32\lsass.exe{43EB4363-57CB-60F5-950B-00000000E501}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.291{43EB4363-5774-60F5-2009-00000000E501}67164680C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.291{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.291{43EB4363-5774-60F5-1F09-00000000E501}61965588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{00000000-0000-0000-0000-000000000000}4460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+35491|UNKNOWN(00007FFD80825A07) 10341000x800000000000000065329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.201{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.201{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.201{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000065326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:31.201{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000028943Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:31.393{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9B87B55DE3D7CB1F3EB6702370501D,SHA256=338B722A8F040D3D4CE9CA8478CB83B3D0DB48D64F23FADF0F0B5E849608394B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.962{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CC-60F5-9D0B-00000000E501}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.941{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CC-60F5-9D0B-00000000E501}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.941{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CC-60F5-9D0B-00000000E501}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.891{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CC-60F5-9C0B-00000000E501}948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.871{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CC-60F5-9C0B-00000000E501}948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.871{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CC-60F5-9C0B-00000000E501}948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.834{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CC-60F5-9B0B-00000000E501}4344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.819{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CC-60F5-9B0B-00000000E501}4344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.818{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CC-60F5-9B0B-00000000E501}4344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.728{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CC-60F5-9A0B-00000000E501}7248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.711{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CC-60F5-9A0B-00000000E501}7248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.710{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CC-60F5-9A0B-00000000E501}7248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.672{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CC-60F5-990B-00000000E501}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.655{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.653{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CC-60F5-990B-00000000E501}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.653{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CC-60F5-990B-00000000E501}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.631{43EB4363-57A1-60F5-C80A-00000000E501}4100ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmp34B.tmpMD5=9E936C2078B286132CD6B9C8602FD17A,SHA256=FA994BADB1E90B2629E0D955572CA57EFE97169D20D6B4957E2F830E3680DA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.594{43EB4363-57A1-60F5-C60A-00000000E501}7676ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmp29F.tmpMD5=9E936C2078B286132CD6B9C8602FD17A,SHA256=FA994BADB1E90B2629E0D955572CA57EFE97169D20D6B4957E2F830E3680DA9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.362{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE18B2B5437D314F4EC84F40F510881,SHA256=6A0C7D37D9E97CB590657BF2F8F23115200F905EC08E9936F4FF954F8A203B55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.308{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A749F7F171D7E28909960D38F486A637,SHA256=FC964D09AC158E646A1D23A429D5849773FE28910072A638A4EABA20C4E3AAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028944Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:32.612{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD0C351738926763BCEADE976650A840,SHA256=6CC3684516DFDAD9A66A85A8883BBE5A066A95046D8C652D8A555C335E8C8DAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.942{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CD-60F5-A10B-00000000E501}7512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.912{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CD-60F5-A10B-00000000E501}7512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.912{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CD-60F5-A10B-00000000E501}7512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.882{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CD-60F5-A00B-00000000E501}4516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000065387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.729{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65130-false52.114.128.71-443https 354300x800000000000000065386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.727{43EB4363-57A0-60F5-BE0A-00000000E501}7680C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65129-false52.114.128.71-443https 354300x800000000000000065385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.601{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local58368- 354300x800000000000000065384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:32.004{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000065383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.862{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CD-60F5-A00B-00000000E501}4516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.862{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CD-60F5-A00B-00000000E501}4516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.752{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CD-60F5-9F0B-00000000E501}4020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.723{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CD-60F5-9F0B-00000000E501}4020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.723{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CD-60F5-9F0B-00000000E501}4020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.664{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B37B3CB5E7EB2355AA2CE761F8C9A3D,SHA256=3E08FA6F6EF75F4B19103C1581D81B740B0D4495626DAEF7F524D644CF46DA3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.412{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE386B34570751806C023917C44A6642,SHA256=F89165FD2A9BC0655754A26589D374C6CFE9F40F16DD3A64F7714E5673971343,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.221{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CD-60F5-9E0B-00000000E501}7976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.201{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CD-60F5-9E0B-00000000E501}7976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.201{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CD-60F5-9E0B-00000000E501}7976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.091{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.091{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.091{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.091{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:33.091{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028945Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:33.846{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755B020DB466C03E9773574A7AADE6DC,SHA256=32F61B45E30424A89F69DB04F526AF31248C58993D67AB23A4CBE49D2AF6FD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028947Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:34.862{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96E5A35BAD233AC50239FD08C4B80E6F,SHA256=08EC45B127DF2995A64663371F8490696B06EACC2BE42C932F7468D49A4F46B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.953{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-AC0B-00000000E501}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.944{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-AC0B-00000000E501}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.934{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-AC0B-00000000E501}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.904{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-AB0B-00000000E501}7308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.883{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-AB0B-00000000E501}7308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.883{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-AB0B-00000000E501}7308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.793{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-AA0B-00000000E501}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.783{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6A489834EEA8A810942A33CDFCEB9B0,SHA256=59A2FA00F228F08172E29D7BF4705B113009832433CC0521616F3779EC6E592B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.783{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E07DA6E079AF02000F0422222A80B0F,SHA256=DFAC1CEE7B4A3DA0E815FE592264F5A4C4BE8A4270D1BA32A57D115762C55163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.781{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-AA0B-00000000E501}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.781{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-AA0B-00000000E501}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.743{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-A90B-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.723{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-A90B-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.723{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-A90B-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.683{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-A80B-00000000E501}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.676{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-A80B-00000000E501}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.676{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-A80B-00000000E501}6536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.631{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-A70B-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.613{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-A70B-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.613{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-A70B-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.493{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-A60B-00000000E501}7984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.483{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-A60B-00000000E501}7984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.483{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-A60B-00000000E501}7984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.403{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-A50B-00000000E501}5500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.383{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-A50B-00000000E501}5500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.383{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-A50B-00000000E501}5500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.313{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-A40B-00000000E501}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.303{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-A40B-00000000E501}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.293{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-A40B-00000000E501}6628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.225{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-A30B-00000000E501}8144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.182{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-A30B-00000000E501}8144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.182{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-A30B-00000000E501}8144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.052{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CE-60F5-A20B-00000000E501}7760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.042{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CE-60F5-A20B-00000000E501}7760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:34.042{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CE-60F5-A20B-00000000E501}7760C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000028946Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:31.932{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028948Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:35.971{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99DE7D94726D8C4C81AF098B32736962,SHA256=30B956F2317CF4B6D26B86E368DAF1FC68CFBAD0D5389EA466B08CF3FE8AA3F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.956{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CF-60F5-B30B-00000000E501}2496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.946{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CF-60F5-B30B-00000000E501}2496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.946{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CF-60F5-B30B-00000000E501}2496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.885{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CF-60F5-B20B-00000000E501}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.865{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57CF-60F5-B20B-00000000E501}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.865{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CF-60F5-B20B-00000000E501}6248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.845{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25A3955D5BA488BF906509B56BE7B7C2,SHA256=F0EDF85FE537921D1C76F7DFE2551DAE6062D4DEF42662869E4CB257C3A238E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.845{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC7F9EF82EDD8434A17125628850BDE,SHA256=74A8F052A45FF86432F2114DBE93D4451A1D0C8008189BDE8E25FBB62477E8D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.805{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CF-60F5-B10B-00000000E501}7992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.785{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CF-60F5-B10B-00000000E501}7992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.785{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CF-60F5-B10B-00000000E501}7992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.725{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CF-60F5-B00B-00000000E501}1368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.705{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CF-60F5-B00B-00000000E501}1368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.705{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CF-60F5-B00B-00000000E501}1368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.677{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CF-60F5-AF0B-00000000E501}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.655{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57CF-60F5-AF0B-00000000E501}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.655{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CF-60F5-AF0B-00000000E501}4972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.094{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CF-60F5-AE0B-00000000E501}7180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.080{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CF-60F5-AE0B-00000000E501}7180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.080{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CF-60F5-AE0B-00000000E501}7180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.014{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57CF-60F5-AD0B-00000000E501}7292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.004{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57CF-60F5-AD0B-00000000E501}7292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:35.004{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57CF-60F5-AD0B-00000000E501}7292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.939{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B30DAF50F62D5728453B50495EE938BC,SHA256=D21EB5991D17EF5BD8090A75D428CBCE6F7ED88BC02A6AA164E0BB480860E70F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.934{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007AE923EBD5477991EFAC4ED23C1FF2,SHA256=1EBCE4929F8EF542F0FC63C03A4310191DBA1C5671D19E018461FA2971B47327,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.919{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-C00B-00000000E501}7472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.899{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-C00B-00000000E501}7472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.899{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-C00B-00000000E501}7472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.830{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-BF0B-00000000E501}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.818{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-BF0B-00000000E501}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.818{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-BF0B-00000000E501}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.743{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-BE0B-00000000E501}2580C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.728{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-BE0B-00000000E501}2580C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.728{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-BE0B-00000000E501}2580C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.679{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-BD0B-00000000E501}4852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.657{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-BD0B-00000000E501}4852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.657{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-BD0B-00000000E501}4852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.617{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-BC0B-00000000E501}7188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.597{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-BC0B-00000000E501}7188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.597{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-BC0B-00000000E501}7188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.557{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-BB0B-00000000E501}360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.537{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-BB0B-00000000E501}360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.537{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-BB0B-00000000E501}360C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.483{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-BA0B-00000000E501}6900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.466{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-BA0B-00000000E501}6900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.466{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-BA0B-00000000E501}6900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.426{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-B90B-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.406{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-B90B-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.406{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-B90B-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.356{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-B80B-00000000E501}1448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.346{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-B80B-00000000E501}1448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.346{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-B80B-00000000E501}1448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.316{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-B70B-00000000E501}8172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.296{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-B70B-00000000E501}8172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.296{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-B70B-00000000E501}8172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.166{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-B60B-00000000E501}224C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.146{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-B60B-00000000E501}224C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.146{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-B60B-00000000E501}224C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.096{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-B50B-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.086{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-B50B-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.086{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-B50B-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.026{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-B40B-00000000E501}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.006{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-B40B-00000000E501}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.006{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-B40B-00000000E501}6688C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.910{43EB4363-57A0-60F5-BE0A-00000000E501}7680ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\aria-debug-7676.logMD5=8EDB1034037F25DBC285BC0BD40E71B0,SHA256=641F30D459323123FB768041CF163467A3E2EC95C5A29FCA717C9A8B472F43BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.910{43EB4363-57A0-60F5-BE0A-00000000E501}7680ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\aria-debug-4100.logMD5=7F21D3CBE4B3E84BBB9FCB8EE9360DC6,SHA256=2B9D6121D37A608094F650E3A10F0F6AC48D87D590FBEA0B2A1A4DD576A2D2D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.790{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D1-60F5-CB0B-00000000E501}5620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.770{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D1-60F5-CB0B-00000000E501}5620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.770{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D1-60F5-CB0B-00000000E501}5620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.720{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D1-60F5-CA0B-00000000E501}7576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.690{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D1-60F5-CA0B-00000000E501}7576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.690{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D1-60F5-CA0B-00000000E501}7576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000028949Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:37.143{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA71C7F9C8951278A19074B34EFD8C9,SHA256=3A359E9C7F7977D02F16F58BD9818BFAC01FE9A41ABB346DF6D8335E75F31CB1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000065519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:37.670{43EB4363-57D1-60F5-C90B-00000000E501}7780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1e64-0\Microsoft.Office.Tools.dll2021-07-19 10:45:37.670 10341000x800000000000000065518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.640{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D1-60F5-C90B-00000000E501}7780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.620{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D1-60F5-C90B-00000000E501}7780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.620{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D1-60F5-C90B-00000000E501}7780C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.590{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D1-60F5-C80B-00000000E501}8080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.570{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D1-60F5-C80B-00000000E501}8080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.570{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D1-60F5-C80B-00000000E501}8080C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.520{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D1-60F5-C70B-00000000E501}7108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.510{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D1-60F5-C70B-00000000E501}7108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.510{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D1-60F5-C70B-00000000E501}7108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.440{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D1-60F5-C60B-00000000E501}7468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.430{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D1-60F5-C60B-00000000E501}7468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.430{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D1-60F5-C60B-00000000E501}7468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.369{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D1-60F5-C50B-00000000E501}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.349{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D1-60F5-C50B-00000000E501}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.349{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D1-60F5-C50B-00000000E501}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.309{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D1-60F5-C40B-00000000E501}7852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.299{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D1-60F5-C40B-00000000E501}7852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.299{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D1-60F5-C40B-00000000E501}7852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.239{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D1-60F5-C30B-00000000E501}6200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.209{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D1-60F5-C30B-00000000E501}6200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.209{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D1-60F5-C30B-00000000E501}6200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.149{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D1-60F5-C20B-00000000E501}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.109{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D1-60F5-C20B-00000000E501}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.109{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D1-60F5-C20B-00000000E501}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.045{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D0-60F5-C10B-00000000E501}6172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.989{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C056718C77DA531D58A385622C014908,SHA256=2ECA0CDA7D0D1CFCB525F141C30DA09F3D0382DE6942C1A71686A0FA584A6619,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.988{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D0-60F5-C10B-00000000E501}6172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:36.988{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D0-60F5-C10B-00000000E501}6172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.921{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D2-60F5-CF0B-00000000E501}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.901{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D2-60F5-CF0B-00000000E501}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.901{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D2-60F5-CF0B-00000000E501}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.821{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D2-60F5-CE0B-00000000E501}7824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.791{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D2-60F5-CE0B-00000000E501}7824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.791{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D2-60F5-CE0B-00000000E501}7824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:38.731{43EB4363-57D2-60F5-CD0B-00000000E501}6336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\18c0-0\Microsoft.Office.Tools.Common.Implementation.dll2021-07-19 10:45:38.731 23542300x800000000000000065538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.691{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE2486E2B352519BC0FB18350D61C2D,SHA256=E6637F05C737AA253F4BF8109622752532084F0C4957707C7681A400A37503E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028950Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:38.377{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9ACFD741AB95AD6694201BFBB41B79E,SHA256=9444FF23EB5777629E61B785FB16F739EBE4030459C6C78776722109B6EBBF50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.151{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D2-60F5-CD0B-00000000E501}6336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.131{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D2-60F5-CD0B-00000000E501}6336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.131{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D2-60F5-CD0B-00000000E501}6336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000065534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.070{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C50C1EE9E148E8E61F1655CF81F740A,SHA256=7A1C894670EB9E7B54F4931F249DCEA2BB018D5654EBFB1F6AAD774275E89444,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.070{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D2-60F5-CC0B-00000000E501}7356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.060{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A2FF64D9BC34D980A669DF60EE360CD,SHA256=64CAAFC295A914CF9D0C83ADC8C60602036FDB61E39B8AF950B216C396292368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.060{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3E46ED81F7583A2BF279D5826E3E2B6,SHA256=49EF856EA057FED3DF704CDC8B1A82D9C7599E0B7F327B4A527F76770FDF5EBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.050{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D2-60F5-CC0B-00000000E501}7356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:38.050{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D2-60F5-CC0B-00000000E501}7356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:38.021{43EB4363-57D1-60F5-CB0B-00000000E501}5620C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15f4-0\Microsoft.Office.Tools.Common.dll2021-07-19 10:45:38.021 23542300x800000000000000065555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:39.714{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7619D693C7A31A540BA75C3A0E65E5F0,SHA256=3656A13403EBED8B408DC87CD4FD6018B14ADCD13F93EFEB3CBE9750716C2213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028952Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:39.409{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376F5F47455B7E60F5D3DBE3839DFA1E,SHA256=4A8C1DC67F47BB4480A201B4E2740031F6C81BA710260FDFF08DEFEB31C6CA59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:39.433{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D3-60F5-D10B-00000000E501}7808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:39.423{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D3-60F5-D10B-00000000E501}7808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:39.423{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D3-60F5-D10B-00000000E501}7808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:39.362{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D3-60F5-D00B-00000000E501}1584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:39.342{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D3-60F5-D00B-00000000E501}1584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:39.342{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D3-60F5-D00B-00000000E501}1584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:39.262{43EB4363-57D2-60F5-CF0B-00000000E501}4192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1060-0\Microsoft.Office.Tools.Excel.dll2021-07-19 10:45:39.262 354300x800000000000000065547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:37.032{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000065546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:39.123{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=990ABF104623A3426054C30E0E1D5D26,SHA256=B9038C258BE74A91B0C65CA090E589B08A4BA5E1F305BF32A10E186FE1BA22EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028951Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:37.072{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028953Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:40.487{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B1D969BE266ECC05F6D3BC4E7BF239C,SHA256=991643C518882EEC8237838803E292C0F63C024AB7BF054D90FB90CE054C8A94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.954{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D4-60F5-D90B-00000000E501}7228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.934{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D4-60F5-D90B-00000000E501}7228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.934{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D4-60F5-D90B-00000000E501}7228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.873{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D4-60F5-D80B-00000000E501}5304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.843{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D4-60F5-D80B-00000000E501}5304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.843{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D4-60F5-D80B-00000000E501}5304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:40.802{43EB4363-57D4-60F5-D70B-00000000E501}4680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1248-0\Microsoft.Office.Tools.v4.0.Framework.dll2021-07-19 10:45:40.802 23542300x800000000000000065578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.772{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3012C051E8035CF6A33C3C21116B8F1,SHA256=F24FC5E0C16651359D3BD00D2FEE59219E827EE5FB339BA38A6A717695A22107,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.752{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D4-60F5-D70B-00000000E501}4680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.722{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D4-60F5-D70B-00000000E501}4680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.722{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D4-60F5-D70B-00000000E501}4680C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.672{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D4-60F5-D60B-00000000E501}7716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.652{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D4-60F5-D60B-00000000E501}7716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.652{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D4-60F5-D60B-00000000E501}7716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:40.621{43EB4363-57D4-60F5-D50B-00000000E501}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1e20-0\Microsoft.Office.Tools.Outlook.Implementation.dll2021-07-19 10:45:40.621 10341000x800000000000000065570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.442{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D4-60F5-D50B-00000000E501}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.422{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D4-60F5-D50B-00000000E501}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.422{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D4-60F5-D50B-00000000E501}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000065567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.382{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=165071B48E1DD7B98719820FDE02489D,SHA256=75313A091F84E61ECD34C010744098BB171470575A29DCDDC8382A5879495B3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.372{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D4-60F5-D40B-00000000E501}5448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.352{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D4-60F5-D40B-00000000E501}5448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.352{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D4-60F5-D40B-00000000E501}5448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:40.321{43EB4363-57D4-60F5-D30B-00000000E501}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\60-0\Microsoft.Office.Tools.Outlook.dll2021-07-19 10:45:40.321 10341000x800000000000000065562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.241{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D4-60F5-D30B-00000000E501}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.221{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D4-60F5-D30B-00000000E501}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.221{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D4-60F5-D30B-00000000E501}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.176{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D4-60F5-D20B-00000000E501}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.151{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D4-60F5-D20B-00000000E501}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:40.151{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D4-60F5-D20B-00000000E501}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:40.090{43EB4363-57D3-60F5-D10B-00000000E501}7808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1e80-0\Microsoft.Office.Tools.Excel.Implementation.dll2021-07-19 10:45:40.090 23542300x800000000000000028954Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:41.721{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573BA5C24F57B9B3EE4383217AB08201,SHA256=3E583B4E09A1613EA1B1FC4240C0AC0264C0C18B1A02534ED6ED06E2AA4F5284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.976{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D5-60F5-DC0B-00000000E501}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.962{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D5-60F5-DC0B-00000000E501}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.961{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D5-60F5-DC0B-00000000E501}4500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:41.906{43EB4363-57D5-60F5-DB0B-00000000E501}4536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\11b8-0\Microsoft.Office.Tools.Word.Implementation.dll2021-07-19 10:45:41.906 23542300x800000000000000065594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.776{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B772F6D61D845FAEB0CDEE291D185517,SHA256=DFC7BF039056718964BDD19EA9556FA877935CE202B371197358EF08397F00BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.460{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D5-60F5-DB0B-00000000E501}4536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.435{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D5-60F5-DB0B-00000000E501}4536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.435{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D5-60F5-DB0B-00000000E501}4536C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000065590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.425{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21D2F4A9EE2E56DE74E1F1A6EC715465,SHA256=42C79059F937E686D9B19194D2B1F25E063B40DA1237A7DB69A0342E3E6B8E7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.375{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D5-60F5-DA0B-00000000E501}7508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.345{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D5-60F5-DA0B-00000000E501}7508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:41.345{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D5-60F5-DA0B-00000000E501}7508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:41.295{43EB4363-57D4-60F5-D90B-00000000E501}7228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1c3c-0\Microsoft.Office.Tools.Word.dll2021-07-19 10:45:41.295 23542300x800000000000000028955Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:42.948{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCFBAFBC2DAAA8EEA3D22C02F4E3CA95,SHA256=803790CEACB1F864C4A9BA8A2C2BD83E36F2630C4A9494B0968F2013D735FFFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.950{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D6-60F5-E30B-00000000E501}504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.930{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D6-60F5-E30B-00000000E501}504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.930{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D6-60F5-E30B-00000000E501}504C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.870{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D6-60F5-E20B-00000000E501}4656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.850{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D6-60F5-E20B-00000000E501}4656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.850{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D6-60F5-E20B-00000000E501}4656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.790{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D6-60F5-E10B-00000000E501}8088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.790{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7823C8F6D1D58B1B13B4E1CBBA642F93,SHA256=3EF4521123D811E2309B9E68E23E4A5D94DAE78B800E9B5F491CBEAD54965F07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.780{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D6-60F5-E10B-00000000E501}8088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.770{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D6-60F5-E10B-00000000E501}8088C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.566{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D6-60F5-E00B-00000000E501}7668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.549{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D6-60F5-E00B-00000000E501}7668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.549{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D6-60F5-E00B-00000000E501}7668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.448{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2344C9E86036B22AC55BA274EF9EDB4E,SHA256=83429F010CEFB20514ECC5D2DD290A539F76BDB0E92B1818E246D33BEEB5B497,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.448{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D6-60F5-DF0B-00000000E501}8020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.418{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D6-60F5-DF0B-00000000E501}8020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.418{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D6-60F5-DF0B-00000000E501}8020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.326{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D6-60F5-DE0B-00000000E501}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.306{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D6-60F5-DE0B-00000000E501}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.306{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D6-60F5-DE0B-00000000E501}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.198{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D6-60F5-DD0B-00000000E501}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.168{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D6-60F5-DD0B-00000000E501}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:42.168{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D6-60F5-DD0B-00000000E501}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000028956Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:43.964{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D460F6111BAEFAC70B8E6A9B1529EC7E,SHA256=452D3DC03C369E7289C4026DAC09CA380E7264C7F3B733E05EF9D6297F3290AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.992{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50DF5E7B82E7B07DF32C873273470AC,SHA256=78E316AC12ADBCDA99170BC48D86A54769FA9BE5F94EEF3EB089C40710B24239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.981{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BDB640138A97C8DACFD10B93E4E9D5D,SHA256=5B7B050DA509FFC1A193EA1D14B33EBEB38D25F36FABCA38C170F1A013FC7A48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.971{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-EE0B-00000000E501}7000C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.951{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-EE0B-00000000E501}7000C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.951{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-EE0B-00000000E501}7000C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.881{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-ED0B-00000000E501}7684C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.851{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-ED0B-00000000E501}7684C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.851{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-ED0B-00000000E501}7684C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.771{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-EC0B-00000000E501}7836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.751{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-EC0B-00000000E501}7836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.751{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-EC0B-00000000E501}7836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.741{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000065649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.741{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.741{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF7dd476.TMPMD5=94EEA79D9A0975F30553974C8581CE7A,SHA256=AFE916DCF97485612B2C6F9FD400B0B135E5F27E2BC7595DBB1C6A60195E967C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.691{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-EB0B-00000000E501}900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.681{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-EB0B-00000000E501}900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.681{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-EB0B-00000000E501}900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.631{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-EA0B-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.621{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-EA0B-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.621{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-EA0B-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.568{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-E90B-00000000E501}644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.551{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FACD3492046D3D6D35FC17F9D9A2C05,SHA256=CA0AC822A1785D61EA0A7585275B06B451DABE72C49204F4E27C1B246032A577,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.551{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-E90B-00000000E501}644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.551{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-E90B-00000000E501}644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.481{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-E80B-00000000E501}7716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.467{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-E80B-00000000E501}7716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.467{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-E80B-00000000E501}7716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.411{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-E70B-00000000E501}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.401{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-E70B-00000000E501}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.401{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-E70B-00000000E501}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.331{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-E60B-00000000E501}5448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.321{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-E60B-00000000E501}5448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.321{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-E60B-00000000E501}5448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.200{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-E50B-00000000E501}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.161{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-E50B-00000000E501}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.161{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-E50B-00000000E501}6644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.130{43EB4363-57A0-60F5-BE0A-00000000E501}7680ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\integration\Addons\OneDriveSetup.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpFFA3.tmpMD5=9E936C2078B286132CD6B9C8602FD17A,SHA256=FA994BADB1E90B2629E0D955572CA57EFE97169D20D6B4957E2F830E3680DA9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.010{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D7-60F5-E40B-00000000E501}7864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.000{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D7-60F5-E40B-00000000E501}7864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.000{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D7-60F5-E40B-00000000E501}7864C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.943{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-FA0B-00000000E501}4460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.933{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-FA0B-00000000E501}4460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.933{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-FA0B-00000000E501}4460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.853{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662EA21B13933732D30308F458B909BF,SHA256=CEDF9D2EB0E3228F54920B233B48123E7D2B2C45A77770A6ABCCF9D67390669C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.853{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E20571E8CE62DCA1CD0000594DA6913,SHA256=2471739098167FA7FB839A6273467B776B248F47430D2627104CFCE6D67CE7AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000028957Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:42.925{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000065695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.833{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-F90B-00000000E501}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.813{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-F90B-00000000E501}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.813{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-F90B-00000000E501}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.765{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-F80B-00000000E501}7924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.743{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-F80B-00000000E501}7924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.743{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-F80B-00000000E501}7924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.693{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-F70B-00000000E501}1368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.673{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-F70B-00000000E501}1368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.673{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-F70B-00000000E501}1368C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.623{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-F60B-00000000E501}7628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.593{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-F60B-00000000E501}7628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.593{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-F60B-00000000E501}7628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.553{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7816D33FB6134EC59BF881AB4C6AC35B,SHA256=05579B8CB9D03C019878F14FD959373355435EB15A652947FAADBC099A5AA785,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.523{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-F50B-00000000E501}7976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.503{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-F50B-00000000E501}7976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.503{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-F50B-00000000E501}7976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.470{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-F40B-00000000E501}6848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.443{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-F40B-00000000E501}6848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.443{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-F40B-00000000E501}6848C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.404{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-F30B-00000000E501}7472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.383{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-F30B-00000000E501}7472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.383{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-F30B-00000000E501}7472C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.343{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-F20B-00000000E501}340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.333{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-F20B-00000000E501}340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.333{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-F20B-00000000E501}340C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.293{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-F10B-00000000E501}7980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.273{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-F10B-00000000E501}7980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.273{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-F10B-00000000E501}7980C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.172{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-F00B-00000000E501}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.166{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-F00B-00000000E501}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.166{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-F00B-00000000E501}852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.112{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D8-60F5-EF0B-00000000E501}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.092{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D8-60F5-EF0B-00000000E501}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.092{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D8-60F5-EF0B-00000000E501}7140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.932{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB4CCEB3B1321ACD3DF0E9961EF67BE,SHA256=101450E533F03850606CAAD06195F309EE9A238BBE9E3C6FA5A2664587C1EC3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.863{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000028958Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:45.136{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB8411A9823CB4518543F8558649200,SHA256=95177D0D3A8066A91D43F8F75D51673F598C3B424C9BEA1FA9CCA8BE6317E084,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.641{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D9-60F5-010C-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.623{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D9-60F5-010C-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.623{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D9-60F5-010C-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000065724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.609{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B7307C70517F308D1C2923E66FB6471,SHA256=96E7F983B2CC3A362C0E4369DB702EC69436FF646BD8AE07D2E1F951092B26A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.398{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D9-60F5-000C-00000000E501}7232C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.381{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D9-60F5-000C-00000000E501}7232C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.381{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D9-60F5-000C-00000000E501}7232C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.265{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D9-60F5-FF0B-00000000E501}8032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.254{43EB4363-57D9-60F5-FE0B-00000000E501}80807984C:\Windows\system32\conhost.exe{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.234{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57D9-60F5-FF0B-00000000E501}8032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.234{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D9-60F5-FF0B-00000000E501}8032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000065716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:43.043{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000065715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.153{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57D9-60F5-FE0B-00000000E501}8080C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.143{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.143{43EB4363-37A7-60F5-1000-00000000E501}368364C:\Windows\System32\svchost.exe{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\pcasvc.dll+43591|c:\windows\system32\pcasvc.dll+22bed|C:\Windows\SYSTEM32\ntdll.dll+7de1d|C:\Windows\SYSTEM32\ntdll.dll+3a969|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.143{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.143{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.143{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.143{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.143{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.134{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D9-60F5-FC0B-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000065706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDBSetValue2021-07-19 10:45:45.134{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\OfficeSetup.exeBinary Data 10341000x800000000000000065705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.113{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D9-60F5-FC0B-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.113{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D9-60F5-FC0B-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:45.013{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57D9-60F5-FB0B-00000000E501}7468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.993{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57D9-60F5-FB0B-00000000E501}7468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:44.993{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57D9-60F5-FB0B-00000000E501}7468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000028959Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:46.355{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57C0E67724F990E3B69BD99188799C3,SHA256=C86D4DDC6639897B79AD716B8F031EA1FAB10589F6F0CBD1DA40C77E78570900,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:46.968{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DA-60F5-030C-00000000E501}7824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:46.948{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DA-60F5-030C-00000000E501}7824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:46.948{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DA-60F5-030C-00000000E501}7824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000065737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:46.868{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C125CBA85C4E6594B4D564801FD74B5,SHA256=A1228C561CDC15C3CFA4E3AD6B6B99562490F041F6302189FDC7755CEC21E172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:46.868{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DA-60F5-020C-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:46.848{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57DA-60F5-020C-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:46.848{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DA-60F5-020C-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:46.774{43EB4363-57D9-60F5-010C-00000000E501}5488NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CKTRMT9GLE\Microsoft.VisualBasic.Compatibility.ni.dll.auxMD5=3F77AD84F34EEF8E9B8CAE3AA534DCFA,SHA256=4F8CE6290ACD23B4ECB957290BDEC2CC4E754DBD316A1F19AEAC72DFE0266F6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:46.771{43EB4363-57D9-60F5-010C-00000000E501}5488NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\CKTRMT9GLE\Microsoft.VisualBasic.Compatibility.ni.dllMD5=F05FB06B5924616E1DA63503F621E4EA,SHA256=8289F16E2D539F7DEF4CFC93AAE18E4AF9D366A2F870407188D45392169BC03A,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000065731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:46.720{43EB4363-57D9-60F5-010C-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1570-0\Microsoft.VisualBasic.Compatibility.dll2021-07-19 10:45:46.719 23542300x800000000000000065730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:46.627{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E7E7B777B64E989429590B50985B1C61,SHA256=CB5C1D5CF32A73CDEDC225903F02116EE10D9C437CD493D9EE43B645032EBA0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.949{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DB-60F5-080C-00000000E501}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.919{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57DB-60F5-080C-00000000E501}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.919{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DB-60F5-080C-00000000E501}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000028960Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:47.589{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CC109F380684891564391E4452E9773,SHA256=7B2F98427F376DF298C18DDFC4D9A0232290BB8DD0DAE0DAF0B0B01CAA90D02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.869{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33D978B9EACCA8A3495738273D4FF2BC,SHA256=FAD6012EF0A0A84FBBAD1C1AE33FBFA8B1BB91CFA64A9CA455BF489A496C767A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.842{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DB-60F5-070C-00000000E501}4656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.819{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57DB-60F5-070C-00000000E501}4656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.819{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DB-60F5-070C-00000000E501}4656C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:47.759{43EB4363-57DB-60F5-060C-00000000E501}6184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1828-0\Microsoft.VisualStudio.Tools.Applications.Hosting.dll2021-07-19 10:45:47.759 10341000x800000000000000065774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.519{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DB-60F5-060C-00000000E501}6184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.499{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DB-60F5-060C-00000000E501}6184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.499{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DB-60F5-060C-00000000E501}6184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.459{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DB-60F5-050C-00000000E501}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.448{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DB-60F5-050C-00000000E501}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.448{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DB-60F5-050C-00000000E501}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.418{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DB-60F5-040C-00000000E501}7552C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.408{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DB-60F5-040C-00000000E501}7552C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.408{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DB-60F5-040C-00000000E501}7552C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.348{43EB4363-57DA-60F5-030C-00000000E501}7824NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KU49H3OBR5\Microsoft.VisualBasic.Compatibility.Data.ni.dll.auxMD5=72313DBCC847C30248298B5241BDC67E,SHA256=6ADB7E3AE2D09BD9A8E2BED85192C84860C0D484F267BA8273C1B75E805BEFF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:47.348{43EB4363-57DA-60F5-030C-00000000E501}7824NT AUTHORITY\SYSTEMC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\temp\KU49H3OBR5\Microsoft.VisualBasic.Compatibility.Data.ni.dllMD5=579070CC67FDBCACB3E1E0F6E343BB21,SHA256=DD1786CB5D5366B4C4014B94CAD209529A43C11D1E9E5D9BBA734FCB511FDC87,IMPHASH=00000000000000000000000000000000truetrue 11241100x800000000000000065763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:47.328{43EB4363-57DA-60F5-030C-00000000E501}7824C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1e90-0\Microsoft.VisualBasic.Compatibility.Data.dll2021-07-19 10:45:47.328 13241300x800000000000000065762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:47.044{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\BinProductVersion18.151.729.13 13241300x800000000000000065761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:47.044{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\LinkDate09/17/2018 17:44:14 13241300x800000000000000065760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:47.044{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\Publishermicrosoft corporation 13241300x800000000000000065759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:47.044{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\onedrivesetup.ex|13fa51f7fa101eb7\LowerCaseLongPathc:\program files\microsoft office\root\integration\addons\onedrivesetup.exe 13241300x800000000000000065758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:47.044{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\BinProductVersion16.0.13127.21668 13241300x800000000000000065757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:47.044{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\LinkDate06/05/2021 06:03:12 13241300x800000000000000065756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:47.044{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\Publishermicrosoft corporation 13241300x800000000000000065755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:47.044{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\integrator.exe|1b5d0d4b4f0be95e\LowerCaseLongPathc:\program files\microsoft office\root\integration\integrator.exe 13241300x800000000000000065754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:47.043{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplication\00001ce300114cd699a5ec1dc952222e119100000904\PublisherMicrosoft Corporation 13241300x800000000000000065753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\onedrivesetup.ex|789cb1de8c8294de\BinProductVersion18.151.729.13 13241300x800000000000000065752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\onedrivesetup.ex|789cb1de8c8294de\LinkDate09/17/2018 17:44:14 13241300x800000000000000065751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\onedrivesetup.ex|789cb1de8c8294de\Publishermicrosoft corporation 13241300x800000000000000065750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\onedrivesetup.ex|789cb1de8c8294de\LowerCaseLongPathc:\users\administrator\appdata\local\microsoft\onedrive\18.151.0729.0013\onedrivesetup.exe 13241300x800000000000000065749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\filesyncconfig.e|4703eb564c4346d9\BinProductVersion18.151.729.13 13241300x800000000000000065748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\filesyncconfig.e|4703eb564c4346d9\LinkDate09/17/2018 17:42:31 13241300x800000000000000065747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\filesyncconfig.e|4703eb564c4346d9\Publishermicrosoft corporation 13241300x800000000000000065746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\filesyncconfig.e|4703eb564c4346d9\LowerCaseLongPathc:\users\administrator\appdata\local\microsoft\onedrive\18.151.0729.0013\filesyncconfig.exe 13241300x800000000000000065745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\filecoauth.exe|11eeeb6793d3440c\BinProductVersion18.151.729.13 13241300x800000000000000065744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\filecoauth.exe|11eeeb6793d3440c\LinkDate09/17/2018 17:44:21 13241300x800000000000000065743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\filecoauth.exe|11eeeb6793d3440c\Publishermicrosoft corporation 13241300x800000000000000065742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplicationFile\filecoauth.exe|11eeeb6793d3440c\LowerCaseLongPathc:\users\administrator\appdata\local\microsoft\onedrive\18.151.0729.0013\filecoauth.exe 13241300x800000000000000065741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:45:47.018{43EB4363-57D9-60F5-FD0B-00000000E501}7764C:\Windows\system32\compattelrunner.exe\REGISTRY\A\{31e7253b-dcfa-4617-73b0-8757c973db2e}\Root\InventoryApplication\0000ac2b164d991c1905149501b3a507eacf0000ffff\PublisherMicrosoft Corporation 10341000x800000000000000065804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.982{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57DC-60F5-0E0C-00000000E501}7108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.982{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DC-60F5-0E0C-00000000E501}7108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 23542300x800000000000000028961Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:48.620{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D16C0BC1E51CBFF0C495FB4682A4A3B,SHA256=7687F44C1D70C58DCF41B121D5D17DF656C663C14E8449DE790DDE42C4091A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.923{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED17C045710249FAA7F301560E668524,SHA256=72D94EAB8D3944397F8C071751D28CBC31B22E84176EB75E055A0A0CCD307859,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.923{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DC-60F5-0D0C-00000000E501}968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.892{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57DC-60F5-0D0C-00000000E501}968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.892{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DC-60F5-0D0C-00000000E501}968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:48.862{43EB4363-57DC-60F5-0C0C-00000000E501}5588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\15d4-0\Microsoft.VisualStudio.Tools.Office.ContainerControl.dll2021-07-19 10:45:48.862 10341000x800000000000000065797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.699{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DC-60F5-0C0C-00000000E501}5588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.679{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57DC-60F5-0C0C-00000000E501}5588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.679{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DC-60F5-0C0C-00000000E501}5588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.609{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DC-60F5-0B0C-00000000E501}3160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.589{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57DC-60F5-0B0C-00000000E501}3160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.589{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DC-60F5-0B0C-00000000E501}3160C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:48.549{43EB4363-57DC-60F5-0A0C-00000000E501}4020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\fb4-0\Microsoft.VisualStudio.Tools.Applications.ServerDocument.dll2021-07-19 10:45:48.549 10341000x800000000000000065790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.199{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DC-60F5-0A0C-00000000E501}4020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.169{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57DC-60F5-0A0C-00000000E501}4020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.169{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DC-60F5-0A0C-00000000E501}4020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.109{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DC-60F5-090C-00000000E501}8124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.089{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DC-60F5-090C-00000000E501}8124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.089{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DC-60F5-090C-00000000E501}8124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:48.041{43EB4363-57DB-60F5-080C-00000000E501}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a04-0\Microsoft.VisualStudio.Tools.Applications.Runtime.dll2021-07-19 10:45:48.041 23542300x800000000000000065783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.041{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22401F023A6198BF5A1B270B2C596722,SHA256=D4F8015A8C9B01DD614BF37611FA580F9CF6E234A898B6AABBC5A9BA347C33FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.986{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DD-60F5-130C-00000000E501}8172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000028963Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:49.761{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9DB85F427960993FD045CA85178CD5B,SHA256=E3E48EC81BA5EF374AA3C500F78C635576A2082448A891CA2685EBA4986CAAF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.896{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DD-60F5-120C-00000000E501}5124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.865{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57DD-60F5-120C-00000000E501}5124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.865{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DD-60F5-120C-00000000E501}5124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.695{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DD-60F5-110C-00000000E501}7280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.675{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57DD-60F5-110C-00000000E501}7280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.675{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DD-60F5-110C-00000000E501}7280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:49.636{43EB4363-57DD-60F5-100C-00000000E501}6700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1a2c-0\Microsoft.VisualStudio.Tools.Office.Runtime.Internal.dll2021-07-19 10:45:49.636 10341000x800000000000000065813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.561{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DD-60F5-100C-00000000E501}6700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.535{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DD-60F5-100C-00000000E501}6700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.535{43EB4363-5784-60F5-350A-00000000E501}60607464C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DD-60F5-100C-00000000E501}6700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d19b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d23f(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d2bd(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000065810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.434{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DD-60F5-0F0C-00000000E501}7900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.404{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DD-60F5-0F0C-00000000E501}7900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.404{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DD-60F5-0F0C-00000000E501}7900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 11241100x800000000000000065807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localDLL2021-07-19 10:45:49.298{43EB4363-57DC-60F5-0E0C-00000000E501}7108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1bc4-0\Microsoft.VisualStudio.Tools.Office.Runtime.dll2021-07-19 10:45:49.298 23542300x800000000000000065806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.113{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04B0043057EFAB8A1F8F103E4088ECE,SHA256=CE95929DF2865C6043447587474FE5579ADCF9DC10CF173A0ED5125FA8008968,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.003{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DC-60F5-0E0C-00000000E501}7108C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028962Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:48.034{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000028964Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:50.995{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D59013809D9AB0779A72934C25F6A6FC,SHA256=D126A3BEEE7993D9F87481A6282461BE860D23BE5159BBCFD11784A79812CECE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.819{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DE-60F5-1B0C-00000000E501}7676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.679{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DE-60F5-1B0C-00000000E501}7676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.679{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DE-60F5-1B0C-00000000E501}7676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.679{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57DE-60F5-1A0C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.660{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.660{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.659{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.659{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.649{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57DE-60F5-1A0C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.649{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57DE-60F5-1A0C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000065845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.481{43EB4363-57DE-60F5-1A0C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000065844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.619{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DE-60F5-190C-00000000E501}7728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.439{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57DE-60F5-190C-00000000E501}7728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.439{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DE-60F5-190C-00000000E501}7728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.399{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DE-60F5-180C-00000000E501}7908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.379{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DE-60F5-180C-00000000E501}7908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.379{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DE-60F5-180C-00000000E501}7908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.340{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DE-60F5-170C-00000000E501}1584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.309{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57DE-60F5-170C-00000000E501}1584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.309{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DE-60F5-170C-00000000E501}1584C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000065835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:48.053{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000065834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.246{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DE-60F5-160C-00000000E501}7300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.216{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DE-60F5-160C-00000000E501}7300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.216{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DE-60F5-160C-00000000E501}7300C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.166{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DE-60F5-150C-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.146{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DE-60F5-150C-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.146{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DE-60F5-150C-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.096{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DE-60F5-140C-00000000E501}6336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.086{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DE-60F5-140C-00000000E501}6336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.086{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DE-60F5-140C-00000000E501}6336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.006{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DD-60F5-130C-00000000E501}8172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:50.006{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FEA9E25BF316FBCB3F15380958A5A08,SHA256=FF95A1BB16BD6CE0F6928899E5F8799C141A9EB5D6CBCC77C2803A0ACFB43C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.996{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E0566A6B6E0D7D7BE1781D2E2AFE6E0,SHA256=20B14EE2711088486098C77BD7071D65F451796766E86658E4A03A1F0B201CF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:49.986{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57DD-60F5-130C-00000000E501}8172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.981{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DF-60F5-1F0C-00000000E501}7924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.951{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57DF-60F5-1F0C-00000000E501}7924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.951{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DF-60F5-1F0C-00000000E501}7924C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.801{43EB4363-57DF-60F5-1C0C-00000000E501}78961384C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.470{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57DF-60F5-1C0C-00000000E501}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.470{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.470{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.470{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.470{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.470{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57DF-60F5-1C0C-00000000E501}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.470{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57DF-60F5-1C0C-00000000E501}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000065864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.324{43EB4363-57DF-60F5-1C0C-00000000E501}7896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000065863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.440{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DF-60F5-1E0C-00000000E501}4516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.430{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57DF-60F5-1E0C-00000000E501}4516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.420{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DF-60F5-1E0C-00000000E501}4516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.351{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57DF-60F5-1D0C-00000000E501}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.330{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57DF-60F5-1D0C-00000000E501}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.330{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57DF-60F5-1D0C-00000000E501}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.320{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6C3137960A3E19FE714EEE43FF8854,SHA256=129076AF1D4E45F0DBE2AB7357BDDF9D61AA5652127C2CAFCA5D1779C472C262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:51.010{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D3DDB56FA1499515D8D8486D9C94407,SHA256=60AFBC1AA0C3912B44070F5E0B85AA95EA3884709A62ADF198B3BDBFC4C083A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.973{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E0-60F5-280C-00000000E501}4852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.953{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E0-60F5-280C-00000000E501}4852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.953{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E0-60F5-280C-00000000E501}4852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.883{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E0-60F5-270C-00000000E501}5124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.871{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E0-60F5-270C-00000000E501}5124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.871{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E0-60F5-270C-00000000E501}5124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.822{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E0-60F5-260C-00000000E501}3776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.803{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E0-60F5-260C-00000000E501}3776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.803{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E0-60F5-260C-00000000E501}3776C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.702{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E0-60F5-250C-00000000E501}5056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.682{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E0-60F5-250C-00000000E501}5056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.682{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E0-60F5-250C-00000000E501}5056C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.632{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E0-60F5-240C-00000000E501}7228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.612{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E0-60F5-240C-00000000E501}7228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.612{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E0-60F5-240C-00000000E501}7228C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.512{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E0-60F5-230C-00000000E501}7800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.492{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E0-60F5-230C-00000000E501}7800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.492{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E0-60F5-230C-00000000E501}7800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.382{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A69345D9C31BEDDDF149CE2671E2EB52,SHA256=EEE6B8783A1552871FAE2D797D5A447C98966F7510052C43E6ED12D4A9402311,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.282{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57E0-60F5-210C-00000000E501}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.282{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.282{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.282{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.282{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.282{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E0-60F5-210C-00000000E501}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.282{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57E0-60F5-210C-00000000E501}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000065883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.143{43EB4363-57E0-60F5-210C-00000000E501}968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000065882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.192{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E0-60F5-220C-00000000E501}4944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.171{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E0-60F5-220C-00000000E501}4944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.171{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E0-60F5-220C-00000000E501}4944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.051{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E0-60F5-200C-00000000E501}4460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.031{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E0-60F5-200C-00000000E501}4460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.031{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E0-60F5-200C-00000000E501}4460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:52.011{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF86FB0C9EEED4676D937B60DEF3041,SHA256=398F4BF9C4852542D93402803313B666EDDCED6AF367DFA49B8371B103DB09BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028965Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:52.011{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=860AC95612AC29A88E08FF9EB529D17B,SHA256=7FDCAF2D3EF7F81B92C0F491E6ECBA58A2E63AE4E62585C856E66E734FD2CFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028966Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:53.073{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC63F5BECE2C5AF653D965B75B4000EC,SHA256=3527EB3241C7E995B13B4B04AE70F3B0BA390913C6509EBC11FCB52B7A1D6A59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.934{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E1-60F5-2E0C-00000000E501}5764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.904{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E1-60F5-2E0C-00000000E501}5764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.904{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E1-60F5-2E0C-00000000E501}5764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.794{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E1-60F5-2D0C-00000000E501}7304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.774{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E1-60F5-2D0C-00000000E501}7304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.774{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E1-60F5-2D0C-00000000E501}7304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.734{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E1-60F5-2C0C-00000000E501}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.714{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E1-60F5-2C0C-00000000E501}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.714{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E1-60F5-2C0C-00000000E501}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.654{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E1-60F5-2B0C-00000000E501}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.634{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E1-60F5-2B0C-00000000E501}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.634{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E1-60F5-2B0C-00000000E501}5048C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.533{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69E2C2BAD03804016752FCD3C75097CF,SHA256=3642A50F8457FF942D81953071107DCBA165B073DCC6A85D73BC7222B5944BFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000065916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.443{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7607E877F77F83A2699DD7844BC20122,SHA256=230983CA69F1B1FAAF695D975FDE8D7CAB06F3207225CBEEB48FC9B6D4980419,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.183{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E1-60F5-2A0C-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.170{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E1-60F5-2A0C-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.170{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E1-60F5-2A0C-00000000E501}7192C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.043{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E1-60F5-290C-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.033{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E1-60F5-290C-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.033{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E1-60F5-290C-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.964{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E2-60F5-330C-00000000E501}4020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.934{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E2-60F5-330C-00000000E501}4020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.934{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E2-60F5-330C-00000000E501}4020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.844{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E2-60F5-320C-00000000E501}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.814{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E2-60F5-320C-00000000E501}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.814{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E2-60F5-320C-00000000E501}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.745{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E2-60F5-310C-00000000E501}8112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.725{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E2-60F5-310C-00000000E501}8112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.725{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E2-60F5-310C-00000000E501}8112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.703{43EB4363-57E2-60F5-2F0C-00000000E501}75166172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000065942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.663{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B526F7FB432974D2E916D5010146E85F,SHA256=C768F2C8396A2B93C2507C2B514A7B256AE403A295BDAD50411DAEFC30BB5165,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.648{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E2-60F5-300C-00000000E501}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.622{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E2-60F5-300C-00000000E501}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.621{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E2-60F5-300C-00000000E501}4100C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.341{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57E2-60F5-2F0C-00000000E501}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.333{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.333{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.333{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.333{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.332{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E2-60F5-2F0C-00000000E501}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.332{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57E2-60F5-2F0C-00000000E501}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000065931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.108{43EB4363-57E2-60F5-2F0C-00000000E501}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000065930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:54.054{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A3ECD40AB2FC283F05DA46DE7CB9471,SHA256=592F5E2705D5B30219BAD16CCE30443ACEC3359FE2142FBD9BE77DD60033CF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000028967Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:54.292{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC8FCF1E38EDEB03B6540D0F6556F1C,SHA256=484768060250A6B1A583133B1CE9493B26F88B40B608E02DC6B12E60C03921BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000028983Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.792{53AF6CEB-57E3-60F5-0906-00000000E601}32482684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000028982Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:53.956{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000028981Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57E3-60F5-0906-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028980Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028979Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028978Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028977Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028976Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028975Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028974Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028973Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028972Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028971Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-57E3-60F5-0906-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028970Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.542{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57E3-60F5-0906-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028969Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.543{53AF6CEB-57E3-60F5-0906-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028968Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:55.526{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB050F3E92E43F1BC1B1761DF1C555C,SHA256=B23E9962F3004704BBE62A97FF2FFF151241719B8C9746BDF50F131D90D1D2EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.935{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E3-60F5-3D0C-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.925{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E3-60F5-3D0C-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.925{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E3-60F5-3D0C-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.889{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E3-60F5-3C0C-00000000E501}7912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.865{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E3-60F5-3C0C-00000000E501}7912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.865{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E3-60F5-3C0C-00000000E501}7912C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.815{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55C4-60F5-7F08-00000000E501}2180C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000065988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.815{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55C4-60F5-7F08-00000000E501}2180C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61efc|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000065987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.795{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E3-60F5-3B0C-00000000E501}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.775{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E3-60F5-3B0C-00000000E501}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.775{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E3-60F5-3B0C-00000000E501}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.735{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71DC91E6D8BBDE2CF557AE93E534B7A1,SHA256=1A24A40075FEC680EED7951CD4B119B877AD69C74BCDE239F10A99EC28EE05A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.735{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E3-60F5-3A0C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.705{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E3-60F5-3A0C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.705{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E3-60F5-3A0C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000065980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.695{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC84E27FB390566659DF1447B1500FF9,SHA256=EB013C8A087242A285F80210ABBF9B91198DF75A8DC5A5B10AB66CD55BA8C43A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000065979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.555{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E3-60F5-390C-00000000E501}7988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.525{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E3-60F5-390C-00000000E501}7988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.525{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E3-60F5-390C-00000000E501}7988C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.435{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E3-60F5-380C-00000000E501}8092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.393{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E3-60F5-380C-00000000E501}8092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.393{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E3-60F5-380C-00000000E501}8092C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.315{43EB4363-57E3-60F5-340C-00000000E501}77125648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.305{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E3-60F5-370C-00000000E501}508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000065971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.597{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65135-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000065970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.597{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65135-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000065969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:53.056{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000065968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.292{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E3-60F5-370C-00000000E501}508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.292{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E3-60F5-370C-00000000E501}508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.224{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E3-60F5-360C-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.214{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E3-60F5-360C-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.214{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E3-60F5-360C-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.134{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E3-60F5-350C-00000000E501}1896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.114{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E3-60F5-350C-00000000E501}1896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.114{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E3-60F5-350C-00000000E501}1896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.004{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57E3-60F5-340C-00000000E501}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.004{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E3-60F5-340C-00000000E501}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.004{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.004{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.004{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.004{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.004{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57E3-60F5-340C-00000000E501}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000065953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:55.005{43EB4363-57E3-60F5-340C-00000000E501}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029012Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7F85C7481EAF6C698BDCDEC372D385C,SHA256=9E33AF54213028A5F95BD6A63E21B63C3121CB370675DBA178895D5FF881240B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029011Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE39F566D9BFA66EF1DA53CE7E41E53B,SHA256=C18DB69BADBE7A9DA77E1BD43F18AC029BDABEF5D801C07C2D548E6EDAA77B59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029010Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57E4-60F5-0B06-00000000E601}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029009Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029008Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029007Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029006Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029005Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029004Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029003Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029002Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029001Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029000Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-57E4-60F5-0B06-00000000E601}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028999Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57E4-60F5-0B06-00000000E601}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028998Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.732{53AF6CEB-57E4-60F5-0B06-00000000E601}3012C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000028997Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.730{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF62EA18FDB7AF5F6FBED04E2D7C716C,SHA256=E729976C4FD8B0D17A819515381F79A9B277FC07878D52711866E12F39EDFEA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.977{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-4A0C-00000000E501}1896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.957{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-4A0C-00000000E501}1896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.957{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-4A0C-00000000E501}1896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.897{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-480C-00000000E501}6940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.890{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-480C-00000000E501}6940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.890{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-480C-00000000E501}6940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.796{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9DE1273BC0D52B098EF6AA9B9C97513,SHA256=F7A2569CF7F248ACAD388F887CD0E5C2EA1B9294A092B9BD4473BEA434381007,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.718{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-470C-00000000E501}6200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.696{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-470C-00000000E501}6200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.696{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-470C-00000000E501}6200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.606{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-460C-00000000E501}4576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.590{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-460C-00000000E501}4576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.590{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-460C-00000000E501}4576C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.516{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-450C-00000000E501}6212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.506{43EB4363-57E4-60F5-400C-00000000E501}15848100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.496{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-450C-00000000E501}6212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.496{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-450C-00000000E501}6212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.436{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-440C-00000000E501}3336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.416{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-440C-00000000E501}3336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.416{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-440C-00000000E501}3336C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.389{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-430C-00000000E501}7808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.366{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-430C-00000000E501}7808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.366{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-430C-00000000E501}7808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.336{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-420C-00000000E501}7904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.316{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-420C-00000000E501}7904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.316{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-420C-00000000E501}7904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.276{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57E4-60F5-400C-00000000E501}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.276{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.276{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.276{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.276{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.276{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-400C-00000000E501}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.276{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57E4-60F5-400C-00000000E501}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.129{43EB4363-57E4-60F5-400C-00000000E501}1584C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.187{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-410C-00000000E501}8116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.166{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-410C-00000000E501}8116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.166{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-410C-00000000E501}8116C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.126{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3C5B25F172FF4654F786119FE4A713,SHA256=79888BEECB19EF00C68B370665D77B4F1EC448FE27911D696E9D80FD541F5B91,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.126{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-3F0C-00000000E501}8020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028996Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57E4-60F5-0A06-00000000E601}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028995Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028994Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028993Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028992Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028991Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028990Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028989Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028988Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028987Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000028986Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-57E4-60F5-0A06-00000000E601}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000028985Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.214{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57E4-60F5-0A06-00000000E601}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000028984Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:56.215{53AF6CEB-57E4-60F5-0A06-00000000E601}3356C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.106{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-3F0C-00000000E501}8020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.106{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-3F0C-00000000E501}8020C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000065998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.055{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E4-60F5-3E0C-00000000E501}5304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000065997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.045{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-3E0C-00000000E501}5304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000065996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.045{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E4-60F5-3E0C-00000000E501}5304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000029027Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57E5-60F5-0C06-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029026Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029025Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029024Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029023Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029022Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029021Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029020Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029019Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029018Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029017Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-57E5-60F5-0C06-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029016Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57E5-60F5-0C06-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029015Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.808{53AF6CEB-57E5-60F5-0C06-00000000E601}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029014Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.792{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D7F85C7481EAF6C698BDCDEC372D385C,SHA256=9E33AF54213028A5F95BD6A63E21B63C3121CB370675DBA178895D5FF881240B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029013Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:57.730{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3951DAF3A271779AC3B2BBCC14E1BDFE,SHA256=AC45E8064CA6F5D42600D0215EC97EAA91FD581CE521D1D1339953BFEEC1962A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.996{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-560C-00000000E501}7740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.968{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-560C-00000000E501}7740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.968{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-560C-00000000E501}7740C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.898{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-550C-00000000E501}7288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.885{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-550C-00000000E501}7288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.885{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-550C-00000000E501}7288C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.813{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-540C-00000000E501}7668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.798{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-540C-00000000E501}7668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.798{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-540C-00000000E501}7668C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.751{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-530C-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.731{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-530C-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.731{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-530C-00000000E501}7828C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.665{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-520C-00000000E501}7984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.639{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-520C-00000000E501}7984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.639{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-520C-00000000E501}7984C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.573{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-510C-00000000E501}7748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.554{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-510C-00000000E501}7748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.554{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-510C-00000000E501}7748C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.478{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-500C-00000000E501}5124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.458{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-500C-00000000E501}5124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.458{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-500C-00000000E501}5124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.408{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-4F0C-00000000E501}8104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.396{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-4F0C-00000000E501}8104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.396{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-4F0C-00000000E501}8104C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.317{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-4E0C-00000000E501}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.297{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-4E0C-00000000E501}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.297{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-4E0C-00000000E501}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.247{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-4D0C-00000000E501}7516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.227{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-4D0C-00000000E501}7516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.227{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-4D0C-00000000E501}7516C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.207{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD6BF2F5F8092BCFED53948B98698CB,SHA256=2261E01152DF3E89C4AE5B5E4519D961D215A67E32D6E607A8DB1091B00F589C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.197{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B3A640E0E70739AEBE16F1D7126A46E,SHA256=1D6EA23135E9C5CF0EA75ADB689887F48EEAE6F39527657EB2289BE5AF198010,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.157{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-4C0C-00000000E501}7900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.137{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-57E4-60F5-490C-00000000E501}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.137{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.137{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.137{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.137{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.137{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E4-60F5-490C-00000000E501}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.137{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-57E4-60F5-490C-00000000E501}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:56.948{43EB4363-57E4-60F5-490C-00000000E501}6628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.137{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-4C0C-00000000E501}7900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.137{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-4C0C-00000000E501}7900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.068{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E5-60F5-4B0C-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.048{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E5-60F5-4B0C-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:57.048{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E5-60F5-4B0C-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000029030Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:58.855{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=744FA9F9B23FB0DD71EA724F6DBDB9A5,SHA256=6A9447D1CF77F58FE77F73EADF6D4793C0BBC07A99FE2A30A78965D8695CDCBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029029Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:58.745{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B056DA02F780938EF8DED4DFABD93AFC,SHA256=1CAE673ED4C44854AEAE73C7BE9B00469A7914AF6E08C2610DE4AC5FC0E2414D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.989{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E6-60F5-5F0C-00000000E501}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.969{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2185DC06F1FC6DEC7B229F1647451739,SHA256=3D9740788014282ADE08D43BA7DAB69C8D8233A4276D92F185E92B981B5B01FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.969{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E6-60F5-5F0C-00000000E501}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.969{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E6-60F5-5F0C-00000000E501}96C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.891{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E6-60F5-5E0C-00000000E501}7468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.869{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E6-60F5-5E0C-00000000E501}7468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.869{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E6-60F5-5E0C-00000000E501}7468C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.809{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E6-60F5-5D0C-00000000E501}7660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.797{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E6-60F5-5D0C-00000000E501}7660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.797{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E6-60F5-5D0C-00000000E501}7660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.609{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E6-60F5-5C0C-00000000E501}6200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.593{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E6-60F5-5C0C-00000000E501}6200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.593{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E6-60F5-5C0C-00000000E501}6200C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.529{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E6-60F5-5B0C-00000000E501}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.509{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E6-60F5-5B0C-00000000E501}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.509{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E6-60F5-5B0C-00000000E501}7144C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.469{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E6-60F5-5A0C-00000000E501}7932C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.449{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E6-60F5-5A0C-00000000E501}7932C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.449{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E6-60F5-5A0C-00000000E501}7932C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.359{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E6-60F5-590C-00000000E501}7628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.339{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E6-60F5-590C-00000000E501}7628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.339{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E6-60F5-590C-00000000E501}7628C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.297{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBBF6C90DD16E96CD09718A228F1AE96,SHA256=99B3BA0384EE66442F47F91F8CC7791F0434309512D93253FB3389E04EE51D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.279{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C01DC883A0850707BA002BA7C1D98D23,SHA256=0831E6E8F192F394F6F75E39864F95CD30BA02CFF72D14727A4E4B448374B832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.279{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAAD9605EF55D6F0C16EDE47937A8CA9,SHA256=1C673360F1255D0CD30DCA0C7F2EBCDF7D0A849DB391E49E2362E620CB21DB6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029028Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:58.058{53AF6CEB-57E5-60F5-0C06-00000000E601}32043132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.118{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E6-60F5-580C-00000000E501}8124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.108{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E6-60F5-580C-00000000E501}8124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.108{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E6-60F5-580C-00000000E501}8124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.058{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E6-60F5-570C-00000000E501}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.048{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E6-60F5-570C-00000000E501}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.048{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E6-60F5-570C-00000000E501}6660C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.988{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FCD96252ADE7C7FABF38CFABD5C95B4B,SHA256=598552FB709D59AE4E586CE65E1039BECDE7CFF6E57A9A253BBCE21CA2034BC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.986{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-6B0C-00000000E501}7532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.986{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-6B0C-00000000E501}7532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.917{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-6A0C-00000000E501}7500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.902{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-6A0C-00000000E501}7500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.902{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-6A0C-00000000E501}7500C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.733{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-690C-00000000E501}948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.716{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-690C-00000000E501}948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.716{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-690C-00000000E501}948C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.651{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-680C-00000000E501}4344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.631{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-680C-00000000E501}4344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.631{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-680C-00000000E501}4344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.561{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-670C-00000000E501}5304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.551{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-670C-00000000E501}5304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.551{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-670C-00000000E501}5304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.515{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-660C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.491{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-660C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.491{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-660C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.431{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-650C-00000000E501}5316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.401{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-650C-00000000E501}5316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.401{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-650C-00000000E501}5316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.351{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A52696FA6EC20E4254CC74223A1B19,SHA256=067C278CC486EF8E9D9A24655C0AE4FAAC02B90722C3C65A3ACE1EC42ED15595,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.331{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-640C-00000000E501}968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.320{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-640C-00000000E501}968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.320{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-640C-00000000E501}968C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000029058Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.683{53AF6CEB-57E7-60F5-0E06-00000000E601}18883944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029057Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57E7-60F5-0E06-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029056Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029055Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029054Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029053Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029052Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029051Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029050Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029049Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029048Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029047Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-57E7-60F5-0E06-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029046Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.511{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57E7-60F5-0E06-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029045Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.512{53AF6CEB-57E7-60F5-0E06-00000000E601}1888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029044Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.261{53AF6CEB-57E7-60F5-0D06-00000000E601}31081304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029043Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57E7-60F5-0D06-00000000E601}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029042Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029041Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029040Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029039Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029038Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029037Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029036Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029035Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029034Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029033Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-57E7-60F5-0D06-00000000E601}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029032Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.011{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57E7-60F5-0D06-00000000E601}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029031Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.012{53AF6CEB-57E7-60F5-0D06-00000000E601}3108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.261{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-630C-00000000E501}7312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.241{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-630C-00000000E501}7312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.241{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-630C-00000000E501}7312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.181{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-620C-00000000E501}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.171{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-620C-00000000E501}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.171{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-620C-00000000E501}7060C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.131{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-610C-00000000E501}7232C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.116{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-610C-00000000E501}7232C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.116{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-610C-00000000E501}7232C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.079{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-600C-00000000E501}6700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.029{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E7-60F5-600C-00000000E501}6700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:59.029{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E7-60F5-600C-00000000E501}6700C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000029061Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:45:59.065{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029060Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:00.167{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FD6950ECE1C44D5F5D7E30D1580F20,SHA256=C346A39552CA9DE49C889F13764EFBE9405591ADE703ED05242195A75837EF27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029059Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:00.167{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C240F4E10FBAF6B0AE957A3AC56D4CC3,SHA256=5018D1E9886A3033157DB06AF1C52D8AB978209EA7B4CA5C47DD5F6D7E81AB14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.942{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-790C-00000000E501}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.912{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-790C-00000000E501}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.912{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-790C-00000000E501}6556C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.872{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-780C-00000000E501}3800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.862{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-780C-00000000E501}3800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.862{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-780C-00000000E501}3800C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.822{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-770C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.802{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-770C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.802{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-770C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.772{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-760C-00000000E501}7836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.752{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-760C-00000000E501}7836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.752{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-760C-00000000E501}7836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.712{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-750C-00000000E501}5624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.702{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-750C-00000000E501}5624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.702{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-750C-00000000E501}5624C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.672{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-740C-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.652{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-740C-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.652{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-740C-00000000E501}7928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.622{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-730C-00000000E501}1896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.602{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-730C-00000000E501}1896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.602{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-730C-00000000E501}1896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.542{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-720C-00000000E501}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.536{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-720C-00000000E501}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.536{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-720C-00000000E501}4388C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.492{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-710C-00000000E501}644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.482{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-710C-00000000E501}644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.482{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-710C-00000000E501}644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.436{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D2D62FEDBD3FB64D0BE0E3F1C62657,SHA256=B36CC7918424535D036D07E08C25ACA61A03E27B17127409F74A548168272EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.431{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D06E33FCBBD4FCE61CF86057F413E9,SHA256=A4FC7501A96399D9DA42A98C48ADE19A82CCEC8FEEF1EF650FB6D5594EE51D74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.428{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-700C-00000000E501}7512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.413{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-700C-00000000E501}7512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.412{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-700C-00000000E501}7512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000066167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:45:58.081{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000066166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.317{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-6F0C-00000000E501}5588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.302{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-6F0C-00000000E501}5588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.302{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-6F0C-00000000E501}5588C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.266{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-6E0C-00000000E501}1164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.251{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-6E0C-00000000E501}1164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.251{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-6E0C-00000000E501}1164C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.151{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-6D0C-00000000E501}8076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.137{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-6D0C-00000000E501}8076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.137{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-6D0C-00000000E501}8076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.079{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E8-60F5-6C0C-00000000E501}7728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.065{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E8-60F5-6C0C-00000000E501}7728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.064{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E8-60F5-6C0C-00000000E501}7728C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.001{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E7-60F5-6B0C-00000000E501}7532C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029075Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.386{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=558598FE174931CE01442B47079AE23B,SHA256=965E933555D7F3BDD826F1522E9038E6A3AE28F87DAC61E1EB185C7478AF10D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.998{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-880C-00000000E501}7280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.998{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-880C-00000000E501}7280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.958{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-870C-00000000E501}6440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.948{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-870C-00000000E501}6440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.948{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-870C-00000000E501}6440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.908{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-860C-00000000E501}7460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.888{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-860C-00000000E501}7460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.888{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-860C-00000000E501}7460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.853{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-850C-00000000E501}7512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.828{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-850C-00000000E501}7512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.828{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-850C-00000000E501}7512C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.788{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-840C-00000000E501}7220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.768{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-840C-00000000E501}7220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.768{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-840C-00000000E501}7220C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.716{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-830C-00000000E501}7932C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.696{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-830C-00000000E501}7932C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.696{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-830C-00000000E501}7932C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.595{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-820C-00000000E501}7268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.565{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-820C-00000000E501}7268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.565{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-820C-00000000E501}7268C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.525{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-810C-00000000E501}7676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.515{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-810C-00000000E501}7676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.515{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-810C-00000000E501}7676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.505{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED762185698AB9CFF8C2213198FBE00A,SHA256=A00D3E5B298D4063758960698E3F0FA2D6373F69487D4F488B1D3F71D67BE203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.495{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FB5A7C0B2EC823B6950337F89B24643,SHA256=25A496BC06FF4F0AE33CAF7C3F23B3C0C58F6B61471523E5AFF569A7F0AF20BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.465{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-800C-00000000E501}6184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.455{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-800C-00000000E501}6184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.455{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-800C-00000000E501}6184C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.394{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-7F0C-00000000E501}7808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.386{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-7F0C-00000000E501}7808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.386{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-7F0C-00000000E501}7808C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.338{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-7E0C-00000000E501}7496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029074Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-57E9-60F5-0F06-00000000E601}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029073Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029072Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029071Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029070Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029069Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029068Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029067Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029066Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029065Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029064Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-57E9-60F5-0F06-00000000E601}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029063Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.370{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-57E9-60F5-0F06-00000000E601}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029062Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:01.371{53AF6CEB-57E9-60F5-0F06-00000000E601}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.313{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-7E0C-00000000E501}7496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.313{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-7E0C-00000000E501}7496C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.253{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-7D0C-00000000E501}7292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.242{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-7D0C-00000000E501}7292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.241{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-7D0C-00000000E501}7292C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.193{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-7C0C-00000000E501}7248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.173{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-7C0C-00000000E501}7248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.173{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-7C0C-00000000E501}7248C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.083{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-7B0C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.063{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-7B0C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.063{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-7B0C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.022{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-7A0C-00000000E501}5316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.002{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57E9-60F5-7A0C-00000000E501}5316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:01.002{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57E9-60F5-7A0C-00000000E501}5316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:00.992{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=594C44233854DE304613C5D26B0B622D,SHA256=6AFF28F6A02399804DB92C5525A09B13EAF93E95749306985439EC516DD065D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029077Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:02.615{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4532A0262B955440995704ADC8269502,SHA256=BE3A444D71CCD40E625F8F46C208D01BB372DC051ECD50B146ECF3921644CE06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029076Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:02.412{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6ED34083D849555796EB6FA4E854C6,SHA256=354D6D007BE45B9F3FF91E3A9B001013E0DBD438FE85E06C84A75B2B343EC81B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.960{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-950C-00000000E501}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.939{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-950C-00000000E501}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.939{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-950C-00000000E501}6612C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.839{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-940C-00000000E501}7920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.819{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-940C-00000000E501}7920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.819{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-940C-00000000E501}7920C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.719{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-930C-00000000E501}8152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.699{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-930C-00000000E501}8152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.699{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-930C-00000000E501}8152C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.669{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-920C-00000000E501}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.649{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-920C-00000000E501}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.649{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-920C-00000000E501}2112C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.617{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-910C-00000000E501}3180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.599{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-910C-00000000E501}3180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.599{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-910C-00000000E501}3180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.499{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-900C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.479{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-900C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.479{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-900C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.449{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-8F0C-00000000E501}5224C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.429{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-8F0C-00000000E501}5224C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.429{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-8F0C-00000000E501}5224C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.379{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5794D4FD790213571370DFDC0AC3779B,SHA256=DF5DFEF58A6ADF853C5FD90FD2E58C0A05B9A6091DD49F412A6A3D6FBFBAC19C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.369{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-8E0C-00000000E501}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.359{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-8E0C-00000000E501}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.359{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-8E0C-00000000E501}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.298{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-8D0C-00000000E501}2304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.278{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-8D0C-00000000E501}2304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.278{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-8D0C-00000000E501}2304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.218{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-8C0C-00000000E501}7312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.198{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-8C0C-00000000E501}7312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.198{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-8C0C-00000000E501}7312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.168{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-8B0C-00000000E501}6344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.152{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-8B0C-00000000E501}6344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.152{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-8B0C-00000000E501}6344C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.138{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B75C5CD2DDA58EC9F7605CA8095C10D8,SHA256=BED49B16D04245C089A3C9C019740A1E705C0815553438CF848D4304318B6804,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.118{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-8A0C-00000000E501}4944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.098{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-8A0C-00000000E501}4944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.098{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-8A0C-00000000E501}4944C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.056{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EA-60F5-890C-00000000E501}7952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.038{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EA-60F5-890C-00000000E501}7952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.038{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EA-60F5-890C-00000000E501}7952C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.018{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88922C76467CC21CF101EA983899DDE7,SHA256=A617516533ACCF6D8B1DAFE96BEB968B36144DC402B3991BC40BF52FE4281080,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:02.008{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57E9-60F5-880C-00000000E501}7280C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029078Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:03.631{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D73FC0549D97465E8FEDF01BC1C7ACF7,SHA256=8D3AB75CC74B68627BCD6EC8B425026C0768C7941E8737D65734B0D026285FE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.771{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EB-60F5-9F0C-00000000E501}7308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.742{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EB-60F5-9F0C-00000000E501}7308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.742{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EB-60F5-9F0C-00000000E501}7308C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.701{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EB-60F5-9E0C-00000000E501}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.681{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EB-60F5-9E0C-00000000E501}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.681{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EB-60F5-9E0C-00000000E501}6928C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.614{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EB-60F5-9D0C-00000000E501}7508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.592{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EB-60F5-9D0C-00000000E501}7508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.592{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EB-60F5-9D0C-00000000E501}7508C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.542{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EB-60F5-9C0C-00000000E501}6440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.532{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EB-60F5-9C0C-00000000E501}6440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.532{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EB-60F5-9C0C-00000000E501}6440C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.491{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F18A32E40291A39915DFCB41E2D1A1,SHA256=243460A15CCB00EBAADFB645B2BF4D557A1A9B1C0E36E0B63D3945A6D2D557C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.461{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EB-60F5-9B0C-00000000E501}7460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.441{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EB-60F5-9B0C-00000000E501}7460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.441{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EB-60F5-9B0C-00000000E501}7460C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.391{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EB-60F5-9A0C-00000000E501}644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.361{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EB-60F5-9A0C-00000000E501}644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.361{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EB-60F5-9A0C-00000000E501}644C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.291{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EB-60F5-990C-00000000E501}4488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.271{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EB-60F5-990C-00000000E501}4488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.271{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EB-60F5-990C-00000000E501}4488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.221{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EB-60F5-980C-00000000E501}7716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.201{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EB-60F5-980C-00000000E501}7716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.201{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EB-60F5-980C-00000000E501}7716C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.131{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EB-60F5-970C-00000000E501}7256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.120{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EB-60F5-970C-00000000E501}7256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.120{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EB-60F5-970C-00000000E501}7256C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.050{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2975AC173BEA2538F48B2BD95A76A436,SHA256=9A5034DE6418876148D32A49517ADCDFC26FED3BF4EA59EF88CFC0045E3CADD1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.050{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EB-60F5-960C-00000000E501}8180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.030{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EB-60F5-960C-00000000E501}8180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.030{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EB-60F5-960C-00000000E501}8180C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000029079Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:04.865{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7207B8C094EA43F82BEEE517D36EB5,SHA256=B811BAFFB0BF6676D06380430A01014C88004E0D5F905644BC466FD28BAAC093,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.976{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EC-60F5-A70C-00000000E501}6172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.956{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EC-60F5-A70C-00000000E501}6172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.956{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EC-60F5-A70C-00000000E501}6172C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.905{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EC-60F5-A60C-00000000E501}7972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.886{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EC-60F5-A60C-00000000E501}7972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.886{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EC-60F5-A60C-00000000E501}7972C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.817{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EC-60F5-A50C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.795{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EC-60F5-A50C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.795{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EC-60F5-A50C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.720{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.654{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EC-60F5-A40C-00000000E501}5224C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.634{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EC-60F5-A40C-00000000E501}5224C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.624{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EC-60F5-A40C-00000000E501}5224C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.554{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2CE5CF7FBBED8CEF60682082A46749,SHA256=C157FC64E773C47F3109B1E28F57E1017FEC1976B6A6E22BF55F495DB73701A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.524{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EC-60F5-A30C-00000000E501}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.504{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EC-60F5-A30C-00000000E501}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.504{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EC-60F5-A30C-00000000E501}6640C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.374{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EC-60F5-A20C-00000000E501}2304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000066331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:03.113{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000066330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.344{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EC-60F5-A20C-00000000E501}2304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.344{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EC-60F5-A20C-00000000E501}2304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.262{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EC-60F5-A10C-00000000E501}7312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.242{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EC-60F5-A10C-00000000E501}7312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.242{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EC-60F5-A10C-00000000E501}7312C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.142{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CADA181C3A5CCC7C7EC15186D4CD0689,SHA256=05535966F9B778AB241C9AC41E2A3DEC022D5577831952533F620FBA1854F4F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.117{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EC-60F5-A00C-00000000E501}7356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.082{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EC-60F5-A00C-00000000E501}7356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.082{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EC-60F5-A00C-00000000E501}7356C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.997{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57ED-60F5-B10C-00000000E501}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.970{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57ED-60F5-B10C-00000000E501}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.968{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57ED-60F5-B10C-00000000E501}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.861{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57ED-60F5-B00C-00000000E501}8032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.838{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57ED-60F5-B00C-00000000E501}8032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.837{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57ED-60F5-B00C-00000000E501}8032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.747{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57ED-60F5-AF0C-00000000E501}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.707{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57ED-60F5-AF0C-00000000E501}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.707{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57ED-60F5-AF0C-00000000E501}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.622{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57ED-60F5-AE0C-00000000E501}8140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.622{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915F00B8EB9784D5DDD3955ED06DF496,SHA256=74E300166B4640C3143A1476C3C7F6FEB0324CD6A5681F3DC93062820E280332,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.596{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57ED-60F5-AE0C-00000000E501}8140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.596{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57ED-60F5-AE0C-00000000E501}8140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.536{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57ED-60F5-AD0C-00000000E501}6940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.522{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57ED-60F5-AD0C-00000000E501}6940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.522{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57ED-60F5-AD0C-00000000E501}6940C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.446{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57ED-60F5-AC0C-00000000E501}8008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.426{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57ED-60F5-AC0C-00000000E501}8008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.426{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57ED-60F5-AC0C-00000000E501}8008C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.396{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57ED-60F5-AB0C-00000000E501}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.377{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57ED-60F5-AB0C-00000000E501}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.377{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57ED-60F5-AB0C-00000000E501}4316C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.286{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57ED-60F5-AA0C-00000000E501}7676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.266{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57ED-60F5-AA0C-00000000E501}7676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.266{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57ED-60F5-AA0C-00000000E501}7676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.246{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA8207C8846A55E37664A522A4301257,SHA256=4CD4058FA75D2823F376EFA18BE752FE1687C6078235EA90361C50976AEF59C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.186{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57ED-60F5-A90C-00000000E501}8076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.166{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57ED-60F5-A90C-00000000E501}8076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.166{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57ED-60F5-A90C-00000000E501}8076C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.066{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57ED-60F5-A80C-00000000E501}8124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.046{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57ED-60F5-A80C-00000000E501}8124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:05.046{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57ED-60F5-A80C-00000000E501}8124C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.990{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EE-60F5-B90C-00000000E501}7904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.990{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EE-60F5-B90C-00000000E501}7904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.950{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EE-60F5-B80C-00000000E501}836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.940{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EE-60F5-B80C-00000000E501}836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.940{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EE-60F5-B80C-00000000E501}836C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.830{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EE-60F5-B70C-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.800{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EE-60F5-B70C-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.800{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EE-60F5-B70C-00000000E501}5488C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.710{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C522AB0031ACB5A09C3B839BC1C101C,SHA256=5523E0656AF14FEEF1CD547F32907076DFC6130D63D44C9DD6BC623FFA9EF4C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.700{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EE-60F5-B60C-00000000E501}7896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.683{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EE-60F5-B60C-00000000E501}7896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.683{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EE-60F5-B60C-00000000E501}7896C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.590{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EE-60F5-B50C-00000000E501}2976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.540{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EE-60F5-B50C-00000000E501}2976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.540{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EE-60F5-B50C-00000000E501}2976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000029080Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:06.099{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AE2BD20D1296A74D032A214D1A7FEF,SHA256=F68A9C737AF6704295E5EB395E31E86498A543F7FF62894B0BEDACC628CB30CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.339{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EE-60F5-B40C-00000000E501}7696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.309{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EE-60F5-B40C-00000000E501}7696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.309{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EE-60F5-B40C-00000000E501}7696C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.278{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52551A86C490EEBDC037FFFAA492A6FC,SHA256=E00D29BFA1564801C618EE3D80DB1D8CF2DA76C90A61234EC94FD9E170A7394F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.208{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EE-60F5-B30C-00000000E501}6900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.178{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EE-60F5-B30C-00000000E501}6900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.178{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EE-60F5-B30C-00000000E501}6900C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.128{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EE-60F5-B20C-00000000E501}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.088{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EE-60F5-B20C-00000000E501}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:06.088{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EE-60F5-B20C-00000000E501}7712C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.953{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-C50C-00000000E501}8032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.923{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-C50C-00000000E501}8032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.923{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-C50C-00000000E501}8032C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.854{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-C40C-00000000E501}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.811{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-C40C-00000000E501}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.811{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-C40C-00000000E501}6908C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.771{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5B648502D7076C863125635B09D658,SHA256=FDF14AEA7764445A08BC4C162B1F8396952F126BFF98D328E9B6F801E06F3DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.771{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DAF1C5BD60D0482FF37604A271AE48A,SHA256=80E942F8DC2B2C77D502856D454B3572DC47EC53F086C749681A3C8D6F6ACC2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.751{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-C30C-00000000E501}5148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.721{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-C30C-00000000E501}5148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.721{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-C30C-00000000E501}5148C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.661{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-C20C-00000000E501}7744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.641{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-C20C-00000000E501}7744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.641{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-C20C-00000000E501}7744C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.591{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-C10C-00000000E501}5448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.571{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-C10C-00000000E501}5448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.571{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-C10C-00000000E501}5448C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000029082Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:07.146{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1FC91DCC833E672E970485DD154446B,SHA256=04C092E0DEC08B2687ADDAEA820D92AEF138F2EFCCC753BD3DD99B638D66E335,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029081Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:04.919{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000066430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.521{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-C00C-00000000E501}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.511{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-C00C-00000000E501}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.511{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-C00C-00000000E501}6852C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.441{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-BF0C-00000000E501}1412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.421{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-BF0C-00000000E501}1412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.421{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-BF0C-00000000E501}1412C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 354300x800000000000000066424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:04.648{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000066423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.361{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-BE0C-00000000E501}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.331{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-BE0C-00000000E501}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.331{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-BE0C-00000000E501}6936C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 23542300x800000000000000066420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.311{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD66CCD8975EC7F31F100E813E036F07,SHA256=4F7DDAD2CD0B45244BEA33D923710F19304CD98248EE974B73D03526AA2BB8F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.285{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-BD0C-00000000E501}7992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.261{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-BD0C-00000000E501}7992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.261{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-BD0C-00000000E501}7992C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.210{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-BC0C-00000000E501}7976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.190{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-BC0C-00000000E501}7976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.190{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-BC0C-00000000E501}7976C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.140{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-BB0C-00000000E501}5128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.110{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-BB0C-00000000E501}5128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.110{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-BB0C-00000000E501}5128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.070{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EF-60F5-BA0C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.050{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57EF-60F5-BA0C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.050{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57EF-60F5-BA0C-00000000E501}7764C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:07.000{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57EE-60F5-B90C-00000000E501}7904C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029083Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:08.162{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E477F80C26ACF21645E633B435C717C,SHA256=E700FEA3F30F689C8A87EFADBB7F40B5531C63EBF185BD1802CB8D21146334BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:08.043{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-57F0-60F5-C60C-00000000E501}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:08.014{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-57F0-60F5-C60C-00000000E501}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:08.014{43EB4363-5784-60F5-350A-00000000E501}60606844C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{43EB4363-57F0-60F5-C60C-00000000E501}4676C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+52c7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+3805(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c9ed(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cbbe(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d0cd(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+cf32(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d41e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+d6be(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+de85(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+df91(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+e032(wow64) 10341000x800000000000000066458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.740{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-5774-60F5-1E09-00000000E501}7584C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.640{43EB4363-37A5-60F5-0B00-00000000E501}6242776C:\Windows\system32\lsass.exe{43EB4363-57F1-60F5-C70C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.640{43EB4363-37A5-60F5-0B00-00000000E501}6242776C:\Windows\system32\lsass.exe{43EB4363-57F1-60F5-C70C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.599{43EB4363-5774-60F5-2109-00000000E501}72607104C:\Windows\system32\conhost.exe{43EB4363-57F1-60F5-C70C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.590{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-57F1-60F5-C70C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.590{43EB4363-5774-60F5-1E09-00000000E501}75847600C:\Windows\Microsoft.NET\Framework\v4.0.30319\NGenTask.exe{43EB4363-57F1-60F5-C70C-00000000E501}8096C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e47|C:\Windows\SYSTEM32\ntdll.dll+78135|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.DLL+3d7ae(wow64)|UNKNOWN(0000000004444853)|UNKNOWN(0000000004444504)|UNKNOWN(00000000044454CE)|UNKNOWN(0000000004442845)|UNKNOWN(0000000004440F66)|UNKNOWN(0000000004440950)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+f066(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1234a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+1862b(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll+199457(wow64) 23542300x800000000000000066452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.585{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7AB8863EDE31E839DED6A7BC6CAE11,SHA256=92A2B157B59DBE6BC17B93ACBC7B130FC8416D80F90074FC59496B399D074F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.351{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D72CB25D62A281CEDE0FD580192B2056,SHA256=00631CD3434E03E97F9C52AF0DC51AF390C220E9757CF3FA608A6AD562B5677A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029084Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:09.209{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA88907FC3D2F644FFCE714D6A063DF6,SHA256=FE91E9CE575E559067D7CA77D7DD848A29810FB113719D87919BCBAF554B12C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:10.611{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9BBF37A67BA6F446FDF066173C0AF0D,SHA256=F4CCA5362EE61FD19623C1C1CC25BA025507D85C50ADBF857B9C4764078413CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029085Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:10.334{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976CD651BF01C3E637AACF971883CCC4,SHA256=43AFBBF96D22B643FD1E2FCBDF564B7B2C625C4DD14A210B2E64499C84F38BEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:10.594{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D423B94DA1E3F25812B5F7DAA0CFB563,SHA256=7F472740F8EAB63416228FE75C879CABF6C64BC96EE55F077FBFED1297456985,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:08.139{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:10.010{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:11.622{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3586721AD540D5BD3DFEB9FDADF22E47,SHA256=69D9AA3290488F7AA06684A5C351241E704A428CC920CA6B83C2146F1D4A8225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029086Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:11.568{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77FE36A403031557FD5712693A93FB6F,SHA256=BBB8A9B6C2D7D1E802165BD594DFBB88CD3FC8D7ACFC1AF50F07F9181370715E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.478{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local55888- 354300x800000000000000066464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.477{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57292- 354300x800000000000000066463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.446{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local57292- 23542300x800000000000000066468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:12.624{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=800BC8EB34D2A7617B8D7B9A8DDA86D8,SHA256=546737E273EA4E83EB9DF64E89BF482F8A2921EBD330E63C1EF298B039BB9631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029088Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:12.646{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114C1D7D954714EA2825C1B5F4813CAB,SHA256=8D097EF1B116B8BDA1F3C596D7C9CBEFCB70B77694ED28564060FFEA7A2A3973,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:09.487{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65140-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x800000000000000029087Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:10.107{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029089Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:13.880{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EC98AF61EBAE2FD99B278B294279B5,SHA256=C22DC3851CB69EA1556CB9A2A1E47D0DB250B1C6EDA8345385CFACF7B45C16A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:13.626{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2D3D4FE46902ED40C5D5118AC01830,SHA256=EEF03273ED074104D85A9AA9FDCDC2843513EA1983F7E28F27BE23026E90118F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029090Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:14.943{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D838E19678759B6AB8E9F51914B80D,SHA256=ABDD429E25085FF6D96D3F23B19A634D9F11F60D171711BE6E20D6D9B4B4C7E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:14.647{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8585FEC11DA87760CF782242C10A64,SHA256=1AB87383DAC075B98F702E2FAE68EA8AD9FBAC6B776234F4B2AFFA40B06D71EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029091Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:15.943{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=061E371B95687C7CF57F79015B1D74E1,SHA256=0CC3522AC9B86AA14EA4DE10A4C736AB5333ED297E192AE5E5B5B078D35DFBB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:15.649{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B7B33DE6C8D0C850BC8FE8E07DDFEC4,SHA256=0E1DB313B7C30FFAD682C1B08EEE5645EB00FCE44E973CE2ACAED4F1FFD9F71A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:13.148{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65141-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029092Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:16.959{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A9EDA2998816608E2A77A5ABBB855F,SHA256=60AD9BCD44EF13DB9E58E569B0ADBF103C95B04D1B1AECF69D1580605F04E913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:16.661{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC60D88DD1BD939F1DF3EF25B63443D,SHA256=BB432107E218566F5682A92329351D69FE489AEBE1F15B22112F4115CCC7E586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029094Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:17.959{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E11F2E47ADD041A103E9BFCE677322A,SHA256=C968CE21ABFF7AC5A52A5CBB1C94D049BF6093B647FC90F2A174E77A16FA3EAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:17.662{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C4DD9C5CB6C26D6CE88FF17CCFAF77,SHA256=FB0112BA6027223DEBA099B584ED3294157F1E272928E95526FEB647480C50F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029093Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:15.982{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:18.664{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A32331D64B1C94075B958EA6A315E1,SHA256=A889DF7FFDC8A5400CD7129F5177496D35D7807A93B6D76CF70749907A7D8A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:19.665{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD3DCE07CFB40FC9D8CFB86181311C2,SHA256=9670A3D6C74BA9D924DF1A091965EB1D77E72D9AC7C89E8E51E0146372885358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029095Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:19.146{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B3E52E750C04F88C1D53ECE17D5419,SHA256=3BE47BE9F9CE129D45A9811EF0A7F5F458829277FF45087C86EA5BE23C47B9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:20.666{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33E25BA76325463945C1653700FE18C4,SHA256=3847153262C562ABCAEDA64C6B3423A3CAD5F09B8EABC1A0491A54AA3C29ACEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029097Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:20.974{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1087E25A3CBBA0D7F787737C0133425A,SHA256=DD3158B01E958680CE6700810C8438D4AC116441EBC533B95E185339D9F2F7D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029096Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:20.349{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E26F39D023A53CD018DA20CF01ED15,SHA256=72CBE63CA632D34B2C6E990CEE372BEA243CCDDEEF1D0F0FE58110DCD6D7A95E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:19.118{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:21.914{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5737866CDB9B3A1759360C9C74F09131,SHA256=70AB209379DFF79B0971B6BDF56C13EEC3588508564410633EF6D5CB384DFC0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:21.913{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8B49021CC5C534D672040FFB6A427954,SHA256=E687243AA9B7A7A02D39F408FB9F4E2377AD5CCFA2FB7AB8C51C33FEC1304C8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:21.668{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1676665BCD622DD760094D88FDE8B121,SHA256=F7845D1F3A809B87F63924ED315D3389C9256BB0C46949071CACEDA496A3F059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029099Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:21.397{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029098Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:21.365{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51EB1CB55328FA7D3B7E954D0E10574,SHA256=07C6FD65B22D8C53382852C7FE30C7AE6265D28751DC3DB529A3597C5E8717D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:21.628{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B10FBF0FA0588B216D1BADF76FB4F9A,SHA256=762CCFE2F6569BE2C6DCFA9CA6737819336B47B0F4B149D8F9E16A4BDA4AE683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:21.628{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE689E7FD687742ACE01F5E869A819A9,SHA256=431B983B161757757B9FD117367F76DDDEB6ECE0D4A92CA96AF2F804B7C00258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:22.689{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144D84962099B9A0B1EDF1792810B606,SHA256=0AC0DED0859224A6F5664EDF4C0CD8F46BCD0063C7301DB155A412DBD240FDFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029100Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:22.367{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D131B9AAE230680A9FB7CA483F6BEEEC,SHA256=A0AB7FB978FE9CFC6257E00B2B401A0FCCC063ED665FB55802975F92BC8E03B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029102Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:23.601{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E591BD2539B508BA54829311C8230CC,SHA256=5F4E633F29A66EE1DCA4F90A8270C19C4C438E41B0A48A93078F556DF71E0776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:23.712{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A6396385F831D57F0B94AA8AAD987B,SHA256=B0BC4C8BC333092BDB841801427FFEC662B3933A108458D8AED7492397164957,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029101Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:21.281{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029104Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:24.836{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B9CD0BD2C7331B2F37822350FEF2C01,SHA256=9618408738CDF27761FFB59C4850B742A4A5CB9B954A370D740B5D853495419E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:24.722{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453699FB2D7871835982F5663D13F45B,SHA256=3A164729DA48B378351EC97BE5F8CE16226D19182D2B109A4CBCEA3864F7FACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029103Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:21.951{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:24.720{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=706E3C7BBDBB9BF1CA219A9EEE7959F1,SHA256=73917F73E878F2FBAAA3DA7241790C4E8F157EF09158A0FBB2EE2A6EC3D26F2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:25.731{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDBCEF71F6EAAAFB649E8C64CC24D2C0,SHA256=F6B563B7263FD76C79E9496533E2E67B997879A612B0112106B6F0DE395AD7A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:25.066{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:26.733{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B363A51DABCBF68ABBC7D2C9A0DE7B,SHA256=2DF151442D517E0F248C129C456FD938CF0671B401D064861B98CFBB222CD189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029105Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:26.008{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8435D5F7D957EC9DBA6FFBCF6FF4CB,SHA256=FA87ECFDAE7D6985986F7766A8B7885FD816718BFDA5F106696ACC56C675CD8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:27.736{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DE03205017A23034A67A9404FAE72C,SHA256=E7167013A9C203921FAC0D8BC0A6668B0A2D47D0703E975E1646B1BF10C10034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029106Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:27.133{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702B637BF3C08A5BB0F2BC52897E978C,SHA256=B1CA6D5A56D6046473F443239BDA2161F21C8E2072BDC1B4457F27ADB26603C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:28.748{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A6819698AA4FFB7C9221C3C1D6CCF2,SHA256=D2021FB8151920DF6C9B7BFF3108D561B34DD168623EF6D78C918099024B1804,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029108Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:27.109{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029107Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:28.320{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60956B46EF0D134375F0FF7E9CC149A5,SHA256=09ADA32BB33843D4B02DA918062D6441465562FDA315211DD2B43D2BA52C8E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:29.749{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2E893AFC9D33EF84EA8C8D1AE2D747,SHA256=94D90D5144AC42445E616E695C9287AEC8BD09ED8B47B89FD14EF13C83E520AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029109Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:29.336{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081EB5ACE047CBC804538545A359EFCA,SHA256=C7585CAE707E4FB9E90D727847316D792A9AC4ECBC0824B27D65089BEC46936D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:30.751{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E63DB9CC724947A9F85EE4CF5C9C9DD,SHA256=0530C2C67A34AF3DD912258B1A6BAE7B56AF4B637C4BF45787A58FB068D59B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029110Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:30.477{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B03A0FDF7F28A6FF5FFF353A09DB9F0,SHA256=34334487527C46B606592B9B4D188A8BEBC121F0953CCE50755856B9FEC5D648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:31.752{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A75CB45C59D0BD3BB3B6D085109873DD,SHA256=83606BF2BCB2EAE5C1C6AF8A1270D005412661C553445C89557981FCA9BAE9F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029111Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:31.490{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4757C7740F1EF7B15968F0A1758F6F,SHA256=CD237D487D3F2B8D6193C7EEA65E3972A3674F617452A3363D879190CF062235,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:31.034{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:32.754{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7127E0BB72F8A5F5A500D20D46C6557F,SHA256=B87BDCBE2046489393AF4C596DDED618E8F6523E2DDFAB896FEE42BEA2D3F0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029112Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:32.492{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5135EF651B0021077534F5F450DB7177,SHA256=C66E5C9AD4ED1B63BE3F4E3B79E48D7D45D7EF3817BB4728DB47072BF121F3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:33.756{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C45DD77927CB669B2FC0151F11C5B2B,SHA256=531B1ACF4932F103D8726A2FFD4058AFF4518E6F2C6CDC0F058BF1A2EA1D25F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029113Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:33.508{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7EA0EB34261FCA11603E72B2527F11A,SHA256=714CBAF8239FC6BD821D034A5E71EC8FDCB00AB7AABACAB3F2C4C7F0C844D4DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:34.908{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-564B-60F5-C908-00000000E501}6576C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:34.758{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB1B56FB1B732DABE0A36C61553ADC9,SHA256=6DFE782082EC28F46BE31755D4EEB036E3109F0D2A0287FCF4DCA34100DD0F1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029115Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:32.937{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029114Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:34.523{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F544AD9442765F13DB0FDA0D2A5C84,SHA256=7A50175891F4740EB922E8624ECEC83A6E6DBDF0E61E0E74AE649DE94D347061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:35.819{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FF49E5BF56A19256B90247BAFF4D7C,SHA256=86877EEC8D0BE7A6A9F3946329E6C1D237B06B91355131BF3C768A2429B9FE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029116Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:35.539{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=506F63E1789A34E2CDE5DA7E1DE4B3CA,SHA256=CB1DD9E741B0BAB1612AB8C038DB38821661833479F255100537B6B6D47C8E6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029117Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:36.554{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3335A4CDDE2352B1C5A330B5FA2ABAA6,SHA256=134689C674E421DA938C464CE73B0C88D5EDD76224034FD607AD66C6F616A564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:36.820{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF3F99778CAE8E8EDF4E2D323B7F69C,SHA256=065E50D6A6320C789582730AB2F3913D74823928B3EFAD4AB0F09DB2AB1190F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029118Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:37.789{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5FF0B2198D80C2A8BDEF07E272654B1,SHA256=28E5280FB859652EE129B1D4402CB4555AD571C7181D50AE774E9F86E979EEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:37.822{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FD6E8C1A6FDDEABD4F569FDF150448,SHA256=DDD42CBB0F5F74869A67778666DE6A03638D1FFAFCF76771228356CA1CE26B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029119Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:38.945{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88463A1EB8E6F1B749B4B5176563692,SHA256=9A5FFBFB4966BC77091594BDEF5A1725920FFE0AA1BD75765A0F72782DF65507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:38.824{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4F736004CAF25F129E97FEFF6D0BDE,SHA256=1F09B3EE98EF9B6F276B119AA736C1272DA011C522D5B66117D0C7443FFBBF1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:37.004{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:39.824{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=878C8116ED0B58ECB0CBDA5167AE224F,SHA256=F87871AE3B8A9663FDD62E4A9E704DE11E40025B75858E606275BC1220032EE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:40.826{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75F4E95AA6152D5999B1D0A8313544E6,SHA256=BC71481446D37D67E356C65A740CDC23C2220196D7DB4290699AA7651A00F118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029121Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:40.179{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5144C3CD6E0DD812920592825491D3,SHA256=92C5557751773F0A1F86801ECE92DFD361A9ABDAEB39AF6532C12A46C01FEAC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029120Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:38.046{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:41.855{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD0FE40833DCA66D87BFC8697DDA9C5,SHA256=6FA33EF12D79A0FBDE9C37D11D25462B258D451446DC49C9C12CCA575767E0DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029122Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:41.351{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B16389B7D60E312F1AF93A08F81C5AAD,SHA256=78EAD561077CE59CADECD34FB9EEB423DA6AF71DEE7F421B2CFEA4C53B787D1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:42.859{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D757DD335C89FE58D7BDB4145E5CF5,SHA256=4CFAD0C3EAFA4E1651590769D93425B9A33B88B2548592506C2C16A496063548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029123Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:42.586{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=465380DEAEF8A0098D8CCFE1B5565354,SHA256=A1BC476F8D654277F59B8F28DCA849A41973DA0AA3FA28CE87CC0B6CDFA70385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:43.900{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F71FC52CD359A973050E4B10A515D13,SHA256=496EDEE28E7556E551300F9C735C31BB3BBACB32E59B32055B845C39002C1F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029124Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:43.633{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE943D0D77B4E020F8675890E75871FD,SHA256=A9E74ACC81AFBCF74DCE997F714E21C5942F1E671F23B8761AB624C75F5EA2A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029125Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:44.867{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41468C9512AD8067136EF1CABC11357F,SHA256=40A6DE73060EFAC0D369F09C07C32B20F11E82B1BA99C33FFCC4856F3CF4D189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:44.902{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABDF0DC07EF5D9A5B57ACDD523821E10,SHA256=F7084445485D063B3B7EC86387304A0CC842CC9A1B429B35B06C6440B2282792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:45.903{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45EF676DA6D27DC82F2D9E75BD78871,SHA256=8BF216151DCEE0127E4F2F863EF89E1B0EEBB41B6E118115DEA1636BD3D39A74,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029126Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:43.921{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:45.683{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3D692915B19FD0504AB32669D4FB1706,SHA256=195019FB44872B5D817253E5B49ED3A35BC7AB0B992053581E77BE11B0694175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:45.683{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5737866CDB9B3A1759360C9C74F09131,SHA256=70AB209379DFF79B0971B6BDF56C13EEC3588508564410633EF6D5CB384DFC0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:43.002{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:46.935{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A207921EF47590846619D8AD324CF51,SHA256=3616C623AE7B8FAC249575C75BC41BE1A71015B78A25D253CD5DBAE77324069B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029127Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:46.055{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFFE632C866304451B4C2034C01D20B,SHA256=ED2E00360DD4EF800F0125A5A7FA842429AB64960682E725D935ED99421360F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:47.966{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30C59144FDCF48C684601128A553E39E,SHA256=39C93CDE23DC246FFF324A64CE752B4C46A1D367E2ABBA11A0ED95968ABC93B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029128Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:47.133{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51CDEF50F8EE0C4244B2A994CC705FB,SHA256=12AD727CD66FFF0699C21C9FDB1B734392BAAAE7B988DFDB2F58F58FFEACE957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029129Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:48.352{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE8D02F6D11738AC4ADA053362913B1,SHA256=FE285D64B8C428D7150228828CAFF9CC98E0AA86CE6AB5AFE88CE67F4D0DA093,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.618{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029130Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:49.430{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E2EBFE2AAA2C560DA17EFBEA26DBD10,SHA256=18185ACAE2D76B2A775865CE9BBCEFC5AD56801212AF45CA1C2C0E60CE027699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:49.228{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B020736ACD8910D1856784CA22450711,SHA256=11A0F327C97DEE89326B793C83A66651AB272745726138625310E3BE5C91294E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029131Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:50.539{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78CB204288E9BDEB1270C23EB24404B,SHA256=BE2DB9A456BE73A7B9CB2EE1171108691A9D5F255640C089836F23471231CD00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:50.492{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-581A-60F5-C80C-00000000E501}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:50.482{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:50.482{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:50.482{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:50.482{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:50.482{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-581A-60F5-C80C-00000000E501}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:50.482{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-581A-60F5-C80C-00000000E501}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:50.483{43EB4363-581A-60F5-C80C-00000000E501}7924C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:50.251{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D4421BABEAB40EF78A0FBF32FBE4FF,SHA256=35BF43DBC5CC44EF79CF7A6A2DFD1D2FD44DFF2656EBE5975FA286C795696B9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029133Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:51.758{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ACE8256EE44C84C2883880B4F6BE0F4,SHA256=AC9920D64744573C54BC565C293E96BC05ECB1E0509CB3B7A19B84B512C740BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.984{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-581B-60F5-CA0C-00000000E501}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.984{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.984{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.984{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.984{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.984{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-581B-60F5-CA0C-00000000E501}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.984{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-581B-60F5-CA0C-00000000E501}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.986{43EB4363-581B-60F5-CA0C-00000000E501}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.569{43EB4363-581B-60F5-C90C-00000000E501}23966392C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.483{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06631BC5F9DD89FAF0EB2498FA4D579B,SHA256=3D0073672901D724B3468EA5E9CBFC241755D2FF2B130119AE74B110D39A27E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.483{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B10FBF0FA0588B216D1BADF76FB4F9A,SHA256=762CCFE2F6569BE2C6DCFA9CA6737819336B47B0F4B149D8F9E16A4BDA4AE683,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.303{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-581B-60F5-C90C-00000000E501}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.303{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.303{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.303{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.303{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.303{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-581B-60F5-C90C-00000000E501}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.303{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-581B-60F5-C90C-00000000E501}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.304{43EB4363-581B-60F5-C90C-00000000E501}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:51.270{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5810342D38C90439CF0A8B9D55055F,SHA256=701F8EBD7C3E83F44F1C92E15DF9F8AA58E4DE8735EFB9C2DED63ADE2DBD2BA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029132Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:49.110{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000066556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:48.992{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029134Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:52.992{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F842FF05052F5731EFCB9E033EE333D4,SHA256=F44B55205D00270BFA0D6CE27B72E6ED4AFD1F49D49D871ADB05C9626AF2CA05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:52.285{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4CE2CE7C78C3AC89871355FB4C41DA,SHA256=BBB4B1C07AD25023AAD85BD7EE15072E0D35CBE5DD068219690606C6C46FB024,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:52.015{43EB4363-37A7-60F5-1400-00000000E501}11001348C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.344{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-37A2-60F5-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000066580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.314{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5CCA5389FF5EAFDC5A5CA9E3485509C,SHA256=535A5562F3C3DDBEB1D065E474F0A58EA0E85977AE5E3CA299D065ABCC828D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.006{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06631BC5F9DD89FAF0EB2498FA4D579B,SHA256=3D0073672901D724B3468EA5E9CBFC241755D2FF2B130119AE74B110D39A27E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029135Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:54.227{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5757DBA6B95054FE9A44709AAAFC70D0,SHA256=877DFA201E9EB3DC83E3D68FDD2267BD35F15E217F1D9EEEC29A2F5395B949D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.928{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-581E-60F5-CC0C-00000000E501}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.928{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.928{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.928{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.928{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.928{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-581E-60F5-CC0C-00000000E501}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.928{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-581E-60F5-CC0C-00000000E501}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.929{43EB4363-581E-60F5-CC0C-00000000E501}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.427{43EB4363-581E-60F5-CB0C-00000000E501}72326928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.336{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24151387A04340EB315CDCA8551F5AA2,SHA256=7AF2CDD8D16BC3DB90236E834A85513CA7A532E5DEC77767CA4584AC6E30E1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.272{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F0E3AF2C736F900AD50DA17EDB15DDE,SHA256=5D42A4CD272D687B4F15A927EFD3D6606A262EDA00C1E85CFBE1BB2CACD36F36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.106{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-581E-60F5-CB0C-00000000E501}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.106{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.106{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.106{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.106{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.106{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-581E-60F5-CB0C-00000000E501}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.106{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-581E-60F5-CB0C-00000000E501}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.107{43EB4363-581E-60F5-CB0C-00000000E501}7232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029149Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-581F-60F5-1006-00000000E601}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029148Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029147Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029146Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029145Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029144Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029143Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029142Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029141Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029140Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029139Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-581F-60F5-1006-00000000E601}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029138Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.570{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-581F-60F5-1006-00000000E601}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029137Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.571{53AF6CEB-581F-60F5-1006-00000000E601}1244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029136Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.461{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAB3EA55DE3325E934C2D30DBC04651B,SHA256=DBB8936385735B1C12F29CC2F7A23A67956864AE3F25ACDBB4C3038B003AA83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:55.940{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D045EF3F6B6A0404C4030E4B734E0C47,SHA256=2D43A83EAEE240A0E1CD979FED228AEAF94B7EE8931DBAA92136F351A54CD57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:55.349{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF882A63AE5262ECF5E163DCDE179D48,SHA256=8F195C459A102F905C2EA02D2BC21F97D82CEC7643C52B07DB62CDF251A1C9B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:55.199{43EB4363-581E-60F5-CC0C-00000000E501}74646844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000066608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.609{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65151-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000066607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.608{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65151-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000066606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.281{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65150-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 354300x800000000000000066605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.281{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65150-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 354300x800000000000000066604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.189{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-876.attackrange.local65149-false10.0.1.14win-dc-876.attackrange.local389ldap 354300x800000000000000066603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.189{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65149-false10.0.1.14win-dc-876.attackrange.local389ldap 354300x800000000000000066602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.178{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65148-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000066601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:53.178{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65148-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 10341000x800000000000000029180Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.914{53AF6CEB-5820-60F5-1206-00000000E601}40441160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029179Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.836{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BF0D7912688C0CCAC7673AA64CEC028,SHA256=7CE449C6AA9908CB7A5EBE849A16CF838998CCE1A8E06FF36EA935765C010CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029178Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.836{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3790854177F7400DA3ED8E346C1E3D34,SHA256=0043B9288745CE1E637A517466D569D706430DC0B9248F6A9723B7AA646D71FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029177Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.836{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D5E32584EAEAFDFCEFB67564EE3F495,SHA256=43BBAFE47726D4CBE994B427D444AAB0C4778DEAA785EA88E7426196FFF45EDF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029176Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5820-60F5-1206-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029175Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029174Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029173Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029172Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029171Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029170Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029169Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029168Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029167Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029166Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5820-60F5-1206-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029165Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.742{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5820-60F5-1206-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029164Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.743{53AF6CEB-5820-60F5-1206-00000000E601}4044C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029163Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:55.077{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51275-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000066629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.651{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5820-60F5-CE0C-00000000E501}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.651{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5820-60F5-CE0C-00000000E501}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.651{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.651{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.651{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5820-60F5-CE0C-00000000E501}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.651{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.651{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.652{43EB4363-5820-60F5-CE0C-00000000E501}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.391{43EB4363-5820-60F5-CD0C-00000000E501}76447608C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.360{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95549E267753C66F3E09DFF377A00AE9,SHA256=63A94407CAFFF1CEA9381150D69D83A7524E3C16CE8D1F13A28DE2BCD19B916C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029162Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5820-60F5-1106-00000000E601}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029161Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029160Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029159Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029158Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029157Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029156Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029155Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029154Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029153Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5820-60F5-1106-00000000E601}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029152Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029151Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.070{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5820-60F5-1106-00000000E601}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029150Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:56.072{53AF6CEB-5820-60F5-1106-00000000E601}3716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.090{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5820-60F5-CD0C-00000000E501}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.090{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.090{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.090{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.090{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.090{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5820-60F5-CD0C-00000000E501}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.090{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5820-60F5-CD0C-00000000E501}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:56.091{43EB4363-5820-60F5-CD0C-00000000E501}7644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029196Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.992{53AF6CEB-5821-60F5-1306-00000000E601}37724012C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029195Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5821-60F5-1306-00000000E601}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029194Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029193Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029192Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029191Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029190Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029189Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029188Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029187Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029186Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029185Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-5821-60F5-1306-00000000E601}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029184Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.820{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5821-60F5-1306-00000000E601}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029183Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.821{53AF6CEB-5821-60F5-1306-00000000E601}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029182Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.774{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F4965CE4C5528822128C48F12B2623,SHA256=578A756FED620A29D95FB7AC7579FC1F14A33721C67F6C7FBD3C1902B693535C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:57.392{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A75AE7848863487FEAFC507D3649AD,SHA256=F998F12D32ED9D55F053C9676425B8E6308098189D492D7A574D9F54266F1F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029181Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:57.742{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BF0D7912688C0CCAC7673AA64CEC028,SHA256=7CE449C6AA9908CB7A5EBE849A16CF838998CCE1A8E06FF36EA935765C010CB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:54.953{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:57.122{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=974C7DDDCA04A0F091B51DD7AFDDE2B2,SHA256=24C7D73F803EF0FF0BDD765D691F8CC53BCD7938021B2800212BB79B509C87F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029198Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:58.852{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5294F01F596BD16EA1C3301DD52BA2E,SHA256=44F589CF5A6D6638D6FA9E83BDF8592D4DF2FD2D5451FD9ABEA2CE3E9652C92A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:58.394{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0541A0680DDF3B84C741B97C5B7DD27,SHA256=2CF4E11C6F547605AFBF04D05F036486F8363EBE996B0152A1768F059E44E676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029197Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:58.836{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C51BC5A20849AB2675D531CFA8BD1836,SHA256=1A8663D8171320B34A723343D02B2A0CE5BC2914B01DA73CDF16423E159E4E57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:59.395{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C72F15B41D282A76EABE4520687347E6,SHA256=FC638C9DF8C34D805C04C9E4DD74B56EF6C27BD15C4A56B15AF4A1381B514268,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029226Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.758{53AF6CEB-5823-60F5-1506-00000000E601}19282292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029225Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5823-60F5-1506-00000000E601}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029224Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029223Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029222Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029221Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029220Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029219Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029218Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029217Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029216Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029215Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5823-60F5-1506-00000000E601}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029214Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.539{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5823-60F5-1506-00000000E601}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029213Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.540{53AF6CEB-5823-60F5-1506-00000000E601}1928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029212Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.258{53AF6CEB-5823-60F5-1406-00000000E601}20561232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029211Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5823-60F5-1406-00000000E601}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029210Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029209Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029208Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029207Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029206Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029205Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029204Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029203Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029202Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029201Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5823-60F5-1406-00000000E601}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029200Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.039{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5823-60F5-1406-00000000E601}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029199Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:46:59.040{53AF6CEB-5823-60F5-1406-00000000E601}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:00.399{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103BE37E25F11BDF9648C7B1285568C9,SHA256=258515C27BD8C155D47D0D6E4EA3046B585B6F32A250BBF16EE16506911B996D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029228Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:00.274{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEEABBFFA78C732CE8D41262D9F821D9,SHA256=AD50D6EFDEC57A59FD7987CA25009FE3FD49C409C65CE54C6E15C09BAC511763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029227Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:00.070{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2292A2DD7D2EC9987C1818C1906F69B6,SHA256=7FB04D15940560A0A3AD25462FE79FD12A393D6E604077DF27E543D31DC24D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:01.402{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC73418FAD1EC4113D0B2DFD78C19A0B,SHA256=19AB1C7ABDF30AA64A37DB4FC012F0649185FF26006E7F69701B689CD22AB847,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029242Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5825-60F5-1606-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029241Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029240Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029239Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029238Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029237Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029236Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029235Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029234Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029233Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029232Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5825-60F5-1606-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029231Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.383{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5825-60F5-1606-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029230Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.384{53AF6CEB-5825-60F5-1606-00000000E601}2628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029229Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:01.102{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D55B07E0EF49420AD2231E5EDA09CF0,SHA256=9141BE41292CA5D741B4D31A9C8401BDF73573961685982517FFBFE848278314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:02.533{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8014F07F76AA638FACA725A8B0C7A32,SHA256=989A611F818EF8CD0E43EB2A8261B32AC227C45C4CC3FDD2FB6F8DD032231BEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029245Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:00.999{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029244Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:02.413{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=37926AC1761A072D7F184A30FEB2DC67,SHA256=F2747A014CD802ADB974348AC41B4FEF645395B8F4A56253F5348922DB05C6B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029243Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:02.195{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207B9D09294583F327D2D6AB906DC1B1,SHA256=F33105FB8DC635FE1EA7A8155045C10CDC56520A9E54CE6DE382AB04068D95E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:46:59.989{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:03.534{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B61D566DCF960FE2BA34517E436C2D7,SHA256=2B4E70EA34D12A63FA6E87BD8249AF815ED042C07E92E916F8D91BE803E60677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029246Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:03.257{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166186A2A4ED534F2541C5728E8FA003,SHA256=EE6A35D90DD857C0DD61C8B340E4486C85D9C17DB76EC21A32E415B52ADABBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029247Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:04.288{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6A574BC103491141866B3DC529220C,SHA256=5CB329B395A099E130B80A380BCD8600E80F72BC3461B94F312E6E244AE0DB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:04.736{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:04.566{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCF651BC7A82C45B36DDFD2770A23A6,SHA256=4001E55F98C2A499F7D1575319D7B788BE7FF312CD6A166ACD21C26849B9AE11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029248Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:05.507{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6671F60AFE74AE4C8FE78E3A26C684,SHA256=F54D245DB033F9C8799A78D3274D617A2919E91DC485F13F3FC4163DA8632BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:05.568{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303D25523E7DCBC8B4AE912A23993AA1,SHA256=0F603E610F9B71A04079A23C975F70D54833CB3239C2F467B34D082DAD7F066C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:05.077{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42463BF26A66996B91AC7B27882E6D7D,SHA256=70A1C3D9D9BA6450EF656871E0C8EEA405AC63C67812C662E7B00BECC3ADF2D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:05.077{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A07DB3E82282EB1C7A0FA5299E91905,SHA256=CF9CAEF1648FF5B21153E108BB597E875D9BFE702EB0EDA57489AE333B4C8C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029249Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:06.726{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A83C05A7C2D09F4A404CE4D1A11B385,SHA256=6009EE40D3624BD34076F2CE939FE1EF20133759D011A605295957A59F5D92A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:06.569{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F44FE46E25D9581595EAAB4BF122424B,SHA256=A3A0B93CBF84DF07FDF0B2F8CF330E77ACDC5BC7A43D5DA68A9FE163B425549C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029250Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:07.898{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11C97DEC08CAB18201994CF715257AE8,SHA256=67C11F2117EE6328B8A11F762421EED3EA0E4D6924BFE388CB54D7C10EC13096,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:07.571{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A0344B840C516632E3C2D6ECB7DCB1,SHA256=DFDC51ED8CCE138323729552DF45DE13AF896E2C25CE2E3A327CE248FBB76A52,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:05.000{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65155-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000066646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:04.659{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029251Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:08.913{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6FAAFAEC6F7DAB28326737A428B3638,SHA256=4156BC4BC24EC3EC28DE9F122B9363CA532E15F073229DE07FD80F3F0DE500A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:08.572{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1331FB7E4466B8D19C21BAF3C019EF,SHA256=A998229A24A053844CACEDC3A8085EC9EFF45B5F2783B3DEF8A3D7B750621B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:09.575{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9740F02F19E74FF46995CCDE60857A8F,SHA256=060ADE9EFCE8B0AB4D22CCC5CE9BED273CE48825277E2AD94AFD6DB41B4CBEC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029252Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:06.139{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029253Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:10.132{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1185FC20082AED8C3A5192F017B4554D,SHA256=CE9DB6DCD90FFE1324B5B6F58478BBED1CF0C8651BF7DB20084632D90A44E6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:10.577{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3192A793B294611AF7CF97F7BBAB52AD,SHA256=425A6F1E6A87B3AE552112F7941384591A8B3674547B6740A4115724F3CAA2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029254Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:11.148{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED40C571EE51321DF80D022E11F69A5,SHA256=AA1484A7C80734F11914F90F0521DE8FC98BF2FB582524142C903E5E2D684CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:11.598{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1539E5473474016C9D8F5B9F265EFF8F,SHA256=A22D2A6FF00075F8ACDCE9DAAA5EEAA367B0779B5461D29B51F2C8A6133813F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:12.599{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=759B8412BEF53F8B7E9BC944598DAB6A,SHA256=61C2060A5B8F8BC12DFFEFF8B7EB203294507C29D65799F203C25A2F00E1AC59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029255Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:12.398{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=711DD224C4791905EA7D30FFE2B426A9,SHA256=2B9F6376DFD3DE9AA570C0CA9E02842A8CFEBF7AFA5A42E9A9D187812EC38877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029256Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:13.413{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82CE6D499582E023932E9C9F1DD3AFA,SHA256=429CF087ED4589675ECA9668EF70EB0344DEC6F7BBE33487C9530A23B2CF457E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:13.633{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1666D1C05597E1146101B8ECCC6E1935,SHA256=82A56417A4AC60143272D9BDF296B8C015375D1706D46D8F78EBC74084F7ED23,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:10.990{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029258Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:14.648{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2FC489775A7D8998665422254FE6727,SHA256=EA33B662982D5CA0A45947ECA6619C9BD36C9A859C50D79D76E1F13D09CA2724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:14.645{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB829F436B887674BE92FF59E69DB8B8,SHA256=CFD60DA9072741D68DEB2FE58BCDAF597F54E5B9603167EFD419A919E85B9536,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029257Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:12.092{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029259Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:15.882{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17E02D5FD6486BDCB85F65ABEDC7ED8,SHA256=F1641E89A4BA6B84883F695F58941E0340BBEC8F88EE5D243A2C09875A61A98A,IMPHASH=00000000000000000000000000000000falsetrue 12241200x800000000000000066658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-DeleteValue2021-07-19 10:47:15.756{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BITS\Performance\PerfMMFileName 23542300x800000000000000066657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:15.646{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BA8EFFBE5891F0CA9C105C21705785,SHA256=1D7434E58FAD760CAB5CCFC32AB8BD3BAF9CA31C77ECBD1FAE6075B57BDDD8F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:16.858{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B189A38AE5181868F01B7C203138F4D9,SHA256=C91C6227744229427794C2D3367F8D3B7CD8A45D3337A0527EB5D90E7844F3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:16.858{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=3D692915B19FD0504AB32669D4FB1706,SHA256=195019FB44872B5D817253E5B49ED3A35BC7AB0B992053581E77BE11B0694175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:16.648{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAD442728E83D21F4366A4732A6222DF,SHA256=6762CB0302C81E91F15A8BC0713F52394788BD32CB2A43FB906AD299FAF10C07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:16.367{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2500-00000000E501}2764C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:17.659{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5C445FCEBA4EB1973EF6D707CA2B5B,SHA256=730E896E4CB819D08CAF6E91684F4684E6DA76601DD3B0797A69738F4C8D1839,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029260Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:17.038{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837D81A1813334087FFD60056292D7BA,SHA256=1656171E9922EAE0CD678632C712495C4E04030203626E8377D794BF5277A221,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:18.901{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-56CD-60F5-F608-00000000E501}7548C:\Windows\system32\msiexec.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:18.661{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51FB5BE7FA252587B91C952EA1B5A77,SHA256=B98359A2E94A0DD75AAD78044C10B11885C5ACE0DCFE69C35F8061BF5C815397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029261Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:18.069{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8A3D56A3A08D50AD2DB16E7CB17C47,SHA256=1B997398D221A7FE6508181B8DF0911F8A363ABBCE60BA37FC03189F0059CFA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:16.010{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:19.682{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068B5EDB1200600A5DF7A4E4AE30A240,SHA256=3806E5C4AB6A1C66895C0260DDCEFDC064D6F1FF74AECCEBCAF43F8F71CA4293,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029263Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:18.014{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029262Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:19.148{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23A9B65194CA488FF051D09CD96FBE0,SHA256=84811487085A8293A616BEC6428A2F59DD2C373535E9F9F83F829850AC9917FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029265Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:20.976{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=338A36EF2DDB85AAE17876B3B1AA7609,SHA256=18C64DB9D94BDA30C12E1FC2B3B27E685383DFE19161C8CE7A7B0970DA451763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029264Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:20.382{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8303709EF1557F66BF949C28AB005E,SHA256=7110F5D9960E5D75F8440FFF46D14BE691B32229F9EE0F2B55575A9DA38FB788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:20.693{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E9A75948C555D3115B9ABB2C1437EE,SHA256=E3B2A7CE014F36FC45DBB5B3C07262B62FAA259C7BD153B992E5B40F6F7213E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029267Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:21.616{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67721E727EDA686ADBF75232DB9C67F,SHA256=8D1FB0632FE285D57559864C5E574F207BF99D1DFC1E07B7337C0B5885D50434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:21.695{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845CC3CADECAE9E0A78530EB7A8B2EEB,SHA256=F0C16BC60FECFED48D39EA8599AFD351D1FE6AACDE634315411C7F206394ACD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029266Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:21.413{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029268Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:22.745{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857EDB4206BD86825D0ACEBE836F79A6,SHA256=80011F07D10AA97862F237829F5B045041D86E541E94ED6309C43D6E050FF477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:22.706{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB745D1D3BDD344743213871441936AB,SHA256=7C2D29A014C0422FB50EC56A944903697E78A2BD6AD1F2438500A4A28F270181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:23.708{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EB629269C3DD3351F50C4A05CB7201,SHA256=1D1B31DDFEDF4C04102034DFDAA6145C9A05EE19123FA8C5B8F483715B1E103C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029270Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:23.745{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F566B94978F2287A5018C444FC23E3BF,SHA256=DF38B8E6DB96BFDF302628CA06002E1869BC7C7E72DD91B59144A4A5CF93D590,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029269Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:21.279{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029271Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:24.761{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8845A31B9C9697E2E2C50E5935078D8D,SHA256=E239B6FC55C585E5037FD59CAC197DA123464F696FD9DCBABE3D7673F7E689A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:24.730{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A2B85D04C94DEBF50BA5324C4F5D272E,SHA256=DF76520FC105F9D3DD6F719E00204FD021D42B39FE07D6BC31DFD8ACABCFCB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:24.710{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10ABA74AD27FB45EA49B68E81EDAC3DF,SHA256=0753253065CF48385207943070962DC46FA9C2C229DCE1130AC4610D970D608E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:22.009{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029273Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:25.776{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB1C5E0BE22422B6D38B91D9EA356A1,SHA256=ACCCE0E537ECE69AC42890F31043008B345FDFCC8E6A76E06D30892930F9924C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:25.711{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A9BE7059F559BCE449A9FE350DB2EF,SHA256=F5F65FECBE524D4D038B53B5EBAB7BDA0560885D43F044894296F96CBAA29F92,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029272Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:23.142{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:26.712{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80090A3996943B6F85C79BDBA3316506,SHA256=F9EAD0ABA73E1C043DB4CEAAA82A589BB2FA61B4302C58E852CD1B755AC8D691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:27.714{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E778A55C95A6CDB81E9F7321CC0BDB,SHA256=A48E3310E14DB6654C8D3D719DFEB5365617562B97C626DC443E53016B92828F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029274Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:27.011{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AD9EE899F9C50A6BA74C0759BBE1C6,SHA256=0B7DF5B6C24A5AB76C49B2E923B9C2937B9E4810AFEB9A4D65135AA1B53152FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:28.716{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097B65B14F53EBDF0BF9BA260F88ABA2,SHA256=AB4F73AA1F25462EC470104C6628E1470A4AA8442AB2206A11CB1469EC7F91DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029275Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:28.151{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F34A44EC94CEA640BA0385482D79CAC,SHA256=6D608B1B634F7183D2B989735E2695897341A526734A3A5674FCD9B20735638C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:29.717{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9DE7343CC3AAD916C7949BAAF9F2D6,SHA256=0EA000732862AFAEAAE7D48EC995F191737B0D1C2B3D573141F2442D63D690E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029276Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:29.245{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=529DE4243D39D798836DE216FA8E57E8,SHA256=78671FCBA96260CA517104B1817DC9207491F189B227711D14A00162655280D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:27.957{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:30.728{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2714732A147E9C8330F6A59CD1EF63D,SHA256=F0A9F75A8C8FDB2D372C7DA95C0A9387D5C094370AE44F807C1795581D8BB24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029277Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:30.479{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D718415F7FCFB79A6C712DD11ED487F,SHA256=ACA39F061E2091C361F8627A2E697023AF31A1FDD91766FC92E4D224BFE88860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:31.730{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F217964481EEEBB9571D42100D425F,SHA256=F502A25E142C1A1B3B7807AE973D6ECCB46EC4184353A65CD983AD9997DB4B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029279Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:31.560{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F921E651AEC8F7CF20D45AD3F23340,SHA256=6545AABE3539FAEEAA2BBA374682BB340419A82D0C1D4E6085A9DE5B8086BF7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029278Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:29.111{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:32.771{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09E84AE3C5C26840FC6430AE661B536,SHA256=26DC70A8EB663DF92C69DCF20938A44E3949F292A12206541219862204386EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029280Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:32.781{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AC488ECFA67A241D4E1AA5BCDBC156,SHA256=62EB1D5E5B2367FD029CCE09BD22F367DCA2036A0484B3AD1A5FBE53B78EABE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029281Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:33.859{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33BE8F2055B40C11ABF29C37BF06CA3A,SHA256=29E22EFC80F6E775F74162DA1B54421C520DB4D50FB5F5AC62FCFD881FC6F2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:33.772{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6606375DB898D5736413F4E57AFE8725,SHA256=1CCA05685C38E5F29C9448DE6C017308885A2CB09E143F7473A85EEDEF269E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029282Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:34.890{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8183E2C02D6ADCF882930E8B64E570,SHA256=1FBCA808A51D0C9C3A78CCFCE9E30BC212369583E579F351DC1DAFFA75C40D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:34.774{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60DAF3B37E62BD550FDFE7C920C8B504,SHA256=B4F332ADA8FA63CEACB2C7774678FAEBA423BF472331D2022D5AC1CB2D2E5FE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029283Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:35.921{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D195B4A635C791A8361A7D9CF2A55C8,SHA256=C660619B70403B591694D53E7E01608EDB616D08AB44EA558E9493905B83C20C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:35.775{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F0F0AAF20B1D2AAA91E76F9CAFF9E7F,SHA256=BEB3518CFC6AE38028DCCE203B09D70EBEE88C3FC4C9B20E254025551DC5CE47,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:33.956{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:36.776{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6597FD20368D16168C0516227E628903,SHA256=A50BEB8754EFA9AC6530566FB722CEA58F8E078FD294E320DBCD51F8424544E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:37.777{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12ABE115DCD7EEB05BA7B75F3B7263B8,SHA256=0A710F565755CA16E3936D808D342DE11A315EFE4D6E8AE744E1813B985F0CD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029285Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:35.022{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029284Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:37.140{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5329C3364E9166F87FA855492FC2ABD,SHA256=3C93DBDA0654A04532019C3AE1588AE0F4FF4A564B3862C79E643554374D3965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:38.778{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FFCC5AD47EEF845F72BCD5FB35B892,SHA256=C802B6081D4D77202B6594AB781965E4BCA8BE6BF6443D94B0E3E98E13F2887E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029286Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:38.265{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48B37B4C5B8DB16D0789470F33A0B99,SHA256=9CDB2781C9C6C17D1EEB0C3F5597945FD13A2BAC17CF496B4EDC8BD2CDA6410F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:39.779{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FEA16BC5BAC9AD4441BFF1025CE2128,SHA256=88DABA5E5B13D470C048757E0DE438357792AA9A68AA6E8E1B51B11E7060240D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029287Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:39.281{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E18922EE24055CA180D181DA34FD36D,SHA256=4BC05B2C3AAF83FE78D59E6ED381049E111C08988111F8EA47C91AAFB0AC22E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:40.781{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38FF102314F0A07A9618F124F1A4F15C,SHA256=22061EDB21B34A7090926A00FAA973D2C31A563DD14328C71A778A3387BAD93A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029288Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:40.296{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854FEABE37E48B4C5B6B818E8B4713FB,SHA256=42DCC33CB1B93672490DBCB7D6A77A88A891B77F334F585D35F7772C01CD5E86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029290Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:41.515{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A57DFD9E24A095D001ADEEDF80D5FE,SHA256=C8DAE270E485194F8676A653A8AFC913411983C80BBEAF2F7B218E63964AA429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:41.782{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AF5ACBC0827649EC4E8E58C5B28058A,SHA256=566303A801F406A351A4818D7AD59344F160F703ACBC9A336B5642CC4A69762C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:39.181{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x800000000000000066694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:41.291{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\SiteSecurityServiceState.txt2021-07-19 10:42:41.286 23542300x800000000000000066693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:41.291{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\SiteSecurityServiceState.txtMD5=E08E0B1789AAF88619B2CDF052061A76,SHA256=6B74B8D03E166403B46541C445D894497EC6DDD4BFC50DBD33AB3960BC00F3E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029289Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:40.116{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029291Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:42.743{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874441ACB7390FD68C1DE06CA638A8A8,SHA256=621BCA4EA91C5B5E48A4ECFDFA48B9861314E5E46733074FDF9FB165F6738254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:42.783{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2208377B0665AD62984431123273DE3D,SHA256=3BCE1D56191948799A2F11993D76014EC7166DA5B8219BD7C22029C0370F3CC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029292Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:43.978{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC3BEC7FE1042EAC7E2A3686091AFC8,SHA256=5D6E85ED297F47B6FDA719EFCF55A6A270D150BF32DB2C7CB5C5295FD6EA6D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:43.785{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9D0320295F2ED166305067545D3DAE,SHA256=44367503F4039CDEF1D48F4CA8D23FA03A924FB5003E6D5D1B8AAE4E22B1DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:44.815{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC094AB3F1D4408EAF6A0F897824DFC5,SHA256=5B2F2768F5F8B9E37BD02D130229263035456AADB52B237EC9223E91E8E8320C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:45.827{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A9AA87CCB4E03D61063F51AE05FC68,SHA256=EFCA909A2875BFBA6B2C6C867C5A02E0A9FDE03B1F57B7BCBA4E04E481D6F6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029293Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:45.009{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A690AEBBE6FD4F92D583994F4D05D553,SHA256=A3601E591740428A98FEC6AF9FE1DA1AFA0832FBC05C04D7BFF1CF55CB676C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:46.828{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC83F269AB9994AA936A29B9C11AD55,SHA256=E44CF796315B75B00B200481C4CE0955D8A4313FE13D6DF3FFE775C8CD0BF9B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029294Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:46.228{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7A37C4F8240A6AF62FA9D1B9EDFF04,SHA256=B8C96BD7CB029D2FE283912691AD09FFC52CA2641F15801C4D1D623D164B1840,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:47.830{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4481703C8F929807F5BB14150DA42872,SHA256=B16F0E8FB593E212A8B0E63A75D3B47DBD025A1C7F5541E633D88F71CAA78A21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029296Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:45.984{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029295Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:47.384{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195865B818B0947F9A483E0D5DFB7BC9,SHA256=4ED8DE1F219942F46978F6942A92AE880688725151FB95C8224CC2EF271958F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:45.169{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:48.834{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F45B8BC6E09B5A0404144A6188C595,SHA256=7CCEE2E06E0663AF8F1DCC4B2C78C674707E63ED79FD3EF33D15E2CF61939BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029297Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:48.400{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA975CDBCA394D81D9BCC5BC41FEB2E,SHA256=D5623E4575F1B55A5DAF59E843CBECCFE0964CA61E3AA01652F5CCD83E7FF1C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029298Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:49.415{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D164C8BD096DFF8FEF15AD7C0CA1061,SHA256=276394D906E13EB537135F8FB9FB7CAE7B3BFE69D732F24703A555664655DA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:49.865{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D01C4A64602AEC3F24DC8031470BAE2,SHA256=7FEA0442079ABD3EA708EF1D10DA8454C96F937E9F94CB7638EB456B833EB739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029299Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:50.634{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E5853B06A73F8A26C0BA36F1DAE29B,SHA256=7EB8DADBCAC6834B90FBC7C2CF41730A21FF2B0D63755BBA29090E1AAF874F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:50.872{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4A2A9BFE084FFC02F6FACA9EDB9421A,SHA256=2B7EBF474C916AC2B6737D2AC7889665B862565F940972C4374CC9CE84458F2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:50.494{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5856-60F5-CF0C-00000000E501}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:50.494{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:50.494{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:50.494{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:50.494{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:50.494{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5856-60F5-CF0C-00000000E501}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:50.494{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5856-60F5-CF0C-00000000E501}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:50.495{43EB4363-5856-60F5-CF0C-00000000E501}7492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029300Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:51.868{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FD6F60835D40452891F523FDDF1A9AE,SHA256=961F59B0310258B7BA7C9C21D379E9DC20AEADD0202FB5EF762095032776A983,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.903{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5857-60F5-D10C-00000000E501}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.901{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.901{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.901{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.900{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.900{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5857-60F5-D10C-00000000E501}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.900{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5857-60F5-D10C-00000000E501}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.899{43EB4363-5857-60F5-D10C-00000000E501}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.874{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71B64A3A851510E69C88A7EBD82277F,SHA256=59574B100FB4FEBF0E40DC60DC2DAAE576F2B4FF466566AF450C480BB1B070C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.513{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7F4588BEE0A996B188AB1CDD82347D4,SHA256=FCF1001C5C76AC1AD0D1AB18C9D9EF9415BD14FABD01265D7F400EB771C6CCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.513{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42463BF26A66996B91AC7B27882E6D7D,SHA256=70A1C3D9D9BA6450EF656871E0C8EEA405AC63C67812C662E7B00BECC3ADF2D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.499{43EB4363-5857-60F5-D00C-00000000E501}43087948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.313{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5857-60F5-D00C-00000000E501}4308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.313{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.313{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.313{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.313{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.313{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5857-60F5-D00C-00000000E501}4308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.313{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5857-60F5-D00C-00000000E501}4308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:51.314{43EB4363-5857-60F5-D00C-00000000E501}4308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029302Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:52.962{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31FE43C76A598A49D9FDE22CECCD2F3,SHA256=F7C8272021B3A7B3B9B8F7CFCFB1D830130A006E2188D1487F97A164627EBDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:52.925{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7F4588BEE0A996B188AB1CDD82347D4,SHA256=FCF1001C5C76AC1AD0D1AB18C9D9EF9415BD14FABD01265D7F400EB771C6CCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:52.875{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54C33239087840AB26B8458A3D7BB176,SHA256=889AE91AB5779E74D76395A8B382D6D7A862DF335AAF7C9D139E0373ED463822,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029301Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:51.078{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000066735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:50.935{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:53.886{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F315F4FE354633F22A3484C582A635E,SHA256=16BE73CDD282660AADA3C58AE677D43A84721DC3074664C8F15C970F2CDB8BD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.888{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6B1B6C3D38720814A8A7D783629CEF,SHA256=6F58F46FA13F8DBCA15DB8676B131DCA8CB06EF7843B673414556295D33A958B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029303Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:54.196{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECA9E94D3F4BEB979288B2D555FA10A,SHA256=D93317CCB8DD1CDD96FAA64189B7972377A00DB92C40B0A77526F871C255BF37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.848{43EB4363-585A-60F5-D30C-00000000E501}75807880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.704{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-585A-60F5-D30C-00000000E501}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.700{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.700{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.700{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.700{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.700{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-585A-60F5-D30C-00000000E501}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.699{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-585A-60F5-D30C-00000000E501}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.698{43EB4363-585A-60F5-D30C-00000000E501}7580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.677{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43F60D265E4492733035F0B2FB1811A9,SHA256=4F9B98D5515B9A124F88907550F80FD8CD06D6745EFBA4228849DF8115E7679C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.227{43EB4363-585A-60F5-D20C-00000000E501}78605724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.016{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-585A-60F5-D20C-00000000E501}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.016{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.016{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.016{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-585A-60F5-D20C-00000000E501}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.016{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.016{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.016{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-585A-60F5-D20C-00000000E501}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:54.017{43EB4363-585A-60F5-D20C-00000000E501}7860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:55.889{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0354A6FB13489BF70EDE6E9F9FEC5F03,SHA256=92F22B106A5C13E438C9B666B6CE65A7F17D40880F5364FDC57352C258722C4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029318Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.759{53AF6CEB-585B-60F5-1706-00000000E601}40881600C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029317Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-585B-60F5-1706-00000000E601}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029316Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029315Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029314Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029313Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029312Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029311Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029310Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029309Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029308Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029307Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-585B-60F5-1706-00000000E601}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029306Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.571{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-585B-60F5-1706-00000000E601}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029305Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.572{53AF6CEB-585B-60F5-1706-00000000E601}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029304Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:55.353{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10C6681F11BEC4FB7F494A947C17096,SHA256=51259B8FA6F78F2E545C20EEA87359CA13EE252DFC33084761CF5CF10B56EB70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:55.702{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9F627DAAF7875C4BD401A4558A2418,SHA256=6D90E54948C06BD025CD7C0DF11C3B9027EFDEC319B6EB176D6DBDF99D60403C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:53.609{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65164-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000066759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:53.609{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65164-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 10341000x800000000000000066781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.907{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-585C-60F5-D50C-00000000E501}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.907{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.905{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.905{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.905{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.905{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-585C-60F5-D50C-00000000E501}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.905{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.904{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-585C-60F5-D50C-00000000E501}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.903{43EB4363-585C-60F5-D50C-00000000E501}7664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.904{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=88B16FEDBB5BF2DC76885166B3C36666,SHA256=B3B0B8AC41DA673613D23409D0BBEAC8E52AF32056B36545D6ADE913D1D8DA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.891{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC0FD6DAFDD0F44959D1BF166D758DF,SHA256=4F6FE56EFB5E4AA2B886C80F7B3A30DBE939CD0C70B7650A8E87F030C93CA16B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029347Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-585C-60F5-1906-00000000E601}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029346Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029345Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029344Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029343Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029342Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029341Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029340Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029339Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029338Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029337Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D138D302C25910899E79B4F746BF755,SHA256=1F5F23E0132C5F418DE7FAAB22A69AF764101CB56BAA0536C2DB50A03841ACE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029336Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-585C-60F5-1906-00000000E601}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029335Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-585C-60F5-1906-00000000E601}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029334Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.746{53AF6CEB-585C-60F5-1906-00000000E601}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029333Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2211894111F1A89F881E5ADBED525443,SHA256=5E29D042DDC054BA045C3D9F16AB0530FF91C87ED288E20A6792D60864784658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029332Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.743{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEE6C4ECE0DAC4EB77592BA1726457F1,SHA256=1A2C55AE48A437D253B7AB8878573F08D69B9AB4580E8B0468F39ED4F1500107,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.089{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-585C-60F5-D40C-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.089{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.089{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.089{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.089{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.089{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-585C-60F5-D40C-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.089{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-585C-60F5-D40C-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.090{43EB4363-585C-60F5-D40C-00000000E501}7424C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029331Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-585C-60F5-1806-00000000E601}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029330Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029329Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029328Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029327Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029326Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029325Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029324Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029323Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029322Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029321Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-585C-60F5-1806-00000000E601}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029320Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.243{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-585C-60F5-1806-00000000E601}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029319Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:56.244{53AF6CEB-585C-60F5-1806-00000000E601}2804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029362Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-585D-60F5-1A06-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029361Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029360Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029359Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029358Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029357Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029356Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029355Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029354Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029353Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029352Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-585D-60F5-1A06-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029351Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.821{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-585D-60F5-1A06-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029350Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.822{53AF6CEB-585D-60F5-1A06-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029349Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.775{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05A0D234BED9AF792994A8749B63708,SHA256=2FF6D9CCF1AEEE2BAC7B0688BD7B734D27E71BD673FF2841984D3166282E8CB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029348Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.775{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D138D302C25910899E79B4F746BF755,SHA256=1F5F23E0132C5F418DE7FAAB22A69AF764101CB56BAA0536C2DB50A03841ACE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:57.910{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAA4D5E4A0FB9ED3DCF7B93E1773979C,SHA256=1705F230F580605215EFE11525C62E16F3F3F00A6FACBABFAE377A8E4AB36E88,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:56.163{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:57.092{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0E0FF0F768A8331DF3E28A5949D17D4,SHA256=534E82F57A077A46AA49535CABACEDAA0E3ACDEA57C9326E60E26A81607E8976,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:57.082{43EB4363-585C-60F5-D50C-00000000E501}76645280C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:58.944{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E911791AF39110EF29B857270466C42C,SHA256=A146B6402E92E5A76C3B93C028FCACD1BE96F239D7482F8468BAAAB6892FC385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029364Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:58.837{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C37E41A328FA94F45B0F3B403FE9566,SHA256=C134492B9B96B14EC0754E5341CB8896634CCB6B151D40B6BB47BC0EF5434597,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029363Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:58.087{53AF6CEB-585D-60F5-1A06-00000000E601}32563144C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:47:59.946{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265C9E4AAFBA84063A3CAA31FA66DF17,SHA256=E6B3DACBCD8984D48D600CEFEB6884FB05F583B27E1EB5994DEB130CEBD61332,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029394Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:57.047{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029393Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.868{53AF6CEB-585F-60F5-1C06-00000000E601}19803460C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029392Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-585F-60F5-1C06-00000000E601}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029391Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029390Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029389Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029388Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029387Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029386Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029385Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029384Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029383Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029382Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-585F-60F5-1C06-00000000E601}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029381Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.696{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-585F-60F5-1C06-00000000E601}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029380Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.697{53AF6CEB-585F-60F5-1C06-00000000E601}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029379Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.165{53AF6CEB-585F-60F5-1B06-00000000E601}32963124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029378Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-585F-60F5-1B06-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029377Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029376Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029375Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029374Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029373Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029372Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029371Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029370Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029369Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029368Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-585F-60F5-1B06-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029367Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.025{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-585F-60F5-1B06-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029366Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:59.026{53AF6CEB-585F-60F5-1B06-00000000E601}3296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029365Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:47:58.993{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=022D5BEF58FD937B1AD41E1B43815365,SHA256=EAF023346192FF817D75C8AF1D4211CD523FA3CBFE03BFF7F06A0C5A1C732392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:00.957{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B6201947F73CA99836448E41C0C6D3,SHA256=0440A50DE295BD149074771A5F95C165D67D35028754ECA5DD0E386951491EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029396Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:00.196{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A598A2979D7DA282DD61A62DDD752EA3,SHA256=F0EF61A747305F5AF715A84513B3045458B322CEB280EB9BAC762820169663FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029395Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:00.134{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9466B041AC1AC37D9047DB05F948A70,SHA256=DA03958BC7144844FE967C9088705FCEFC1766F58E9918426C44317B6BF149DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:01.969{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8558430DBDBB083ADC8C4BAE7523D33D,SHA256=1F68C7F246FBE209CCD8DEAFF6CBECD2D4F507C81CB0815409BA4249AB4BF6A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029410Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5861-60F5-1D06-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029409Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029408Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029407Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029406Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029405Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029404Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029403Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029402Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029401Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029400Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5861-60F5-1D06-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029399Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.337{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5861-60F5-1D06-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029398Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.338{53AF6CEB-5861-60F5-1D06-00000000E601}3400C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029397Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:01.212{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A455FB745513A1F6F0539F56C06D77,SHA256=200AF946804D4295BBB4362587418CFCFEC60B31FDCC13BA02251336A593F1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:02.970{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C443EBD8DAC87412E6928D7E3C4A3160,SHA256=0C4F42B85FC7C0B7989A6A5DF7623424669E0C51A7E38FF0AE4A67DCBE203C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029412Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:02.353{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E945572944BC2265163FCCD4A81143,SHA256=99FFECC2B4CAC5D67C6FFF70028C686CB811F5909FA5A6389F2DF4A800D040CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029411Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:02.353{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EEEDD98BED6DC8D52309DFF5368A5AF,SHA256=2456A2836F4F18127957DA25F7829B5D24974BF4EA1B077460AD3E0B2B78EA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:03.972{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309698A6C7C29B94469089CECE11CC5B,SHA256=C4FB1AD9DD53D540930A126A60FB5C75DC52C9675C717867A280BA7443E146FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029413Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:03.357{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA70714A5E7C75E3E97438AF54EED79,SHA256=FADE1171ED05ECC5B52781EB7C909118D7D4E9CC8672160C1A6E7BFC45B423FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:01.170{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:04.985{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE4F55039636A2BCF0A0F34440DCC10,SHA256=B66E6E50730B3ED04C67248840793FC58C7494348E42DE193B471737B42CE2EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029414Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:04.591{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A1ABE30E59DF1C95B82EF3B36D2B89,SHA256=37E1ECCE77D56232A25ED8C9EB484E9E3B1967554C80121D7E68396FB5FEF13F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:04.763{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:05.995{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A9A0CC60CED872A6CD77F599FCD23E2,SHA256=BEFB13702D8E007C258507218EA01D9ED8919B3D5801C8333099F964EEC72094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029416Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:05.794{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F8EAD967955AD8649CCC41C91B4C89,SHA256=ADA48925E300A6229C7E3806070453523F26BA10D8FCE1298B37E453A51349E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:03.568{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65167-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 354300x800000000000000066795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:03.568{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65167-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 354300x800000000000000029415Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:02.926{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029417Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:06.919{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=847FF7F665F6F2B59A009A9D1324A010,SHA256=CC2457548182F9BC1D71DCA000BABE3724CA9F2E550BCF02C91DB10C8CB5335E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:04.676{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000066800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:06.178{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:06.996{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF9F38E8A2B137D8FC6AD10DF76322DD,SHA256=BA281876D78E4BFA730215718289E7463B9C9A6CE2B8E93AFA12C7B7590BC149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029418Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:08.060{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E8184B9D35F9CEFAFCE00158DD69B6,SHA256=D0E0881526BB8F8E19089EFC8C509B8BBB1617BD8F1A886E43C6B6E063DD5641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:08.008{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F0CC71A11070BC40F557AF721A2176,SHA256=F9147950ADA72D59B1211A11B9053E582886E3A57C1D834E5B1AFFF6DF44153B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029420Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:08.004{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029419Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:09.138{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D555417B3F5E3863340F12FA7090572D,SHA256=FE117359821450223538ACD6A74AD7375F760D18D3B020179B143140CC875127,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:09.009{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D2FAA0808837BB112D90BD45E9B861,SHA256=4D329EB92B89862C8C3A15772EAE4BD916D36B3D361084C8DACBD365519AB291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029421Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:10.373{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5652D9A7661C854A6A4F5DE2EF2D91D,SHA256=FEF6DEF446C366B27B1B0CA309C3655776C34EA74228C430A2339AD8EB89F558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:10.023{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22858CAB805E582A003AD05F85C4948F,SHA256=D00041F85D14C4FE7A2A0CA4AF95A99619CE26FC5387FC6F0262DEF570EDBB19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:10.023{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029422Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:11.607{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8631F296CFFDFBA001BC187FF30A9E3D,SHA256=A4EF3D17401E02028FDFD6EB6C805E4767BE271B36B89FDB4610FE1056D895FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:09.450{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local54262- 23542300x800000000000000066805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:11.032{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA274AE5053A35A34ADD16A41CEE3C8A,SHA256=8630CACA2C7A46978577A97765AF7055E7E58B84956CD756FE30F2404531C68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029423Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:12.841{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D47261CAFAEF0882A755460E8B7271B,SHA256=9C7C7141211709522B555627E4D620F7314DAE63B4F3D8D2AA221CD5B8121EE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:09.453{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65170-false143.204.205.36server-143-204-205-36.fra53.r.cloudfront.net443https 23542300x800000000000000066807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:12.033{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222802BE0CBD79A90209A4AB24A3D2ED,SHA256=0D693AB0E066F00BBA890A49146EA1B5816896EB8A23EDC266A5CD57AE734773,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:12.146{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:13.046{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF988FCA79B8B68F49D4E06C14A45574,SHA256=4520023DF00F9D4B00BF4F415F194ECCC52F23307D1A57703AB99AE416C27C1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029425Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:13.113{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029424Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:14.076{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B590F2241D091CEF177DA075683F8B,SHA256=0E38610A28D1ACE441DA95D13680E438977720EE484E4F00073C5DD3B2270F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:14.066{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64535C2B05F9EF7060E3CECE7C403719,SHA256=BD25F57A543EF16C3672DD6C018B21CEE970E2BA7E36B8DDF3AB4A63C1FE067D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029426Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:15.138{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC94AA9D91E44F88251FAEF749FB9779,SHA256=D74A292E612920E36E9E1DEDA9A453534B4BE88C2055AC57DFED0F6F78C9320E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:15.068{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BDBCB5571BE965307DAB2B3ACB48E8,SHA256=3C33560D0AB8A3278DB37B7E20087B0FEFE4238B8C71EF3A9F854E81A95B8972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029427Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:16.373{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C702854795A1B83DA47DB701281AEB0D,SHA256=EFD2DB40DC39784F73AE6563710FBF15ED07E879FE9D9E3FDD4D89218D60BC51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:16.070{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B7CBE1245DD693426926EFFE90BF41,SHA256=E85289BD74988913B6F57B42FF3D6A40AAC28B1F62E02D9392BA86130AB42319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029428Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:17.607{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDAFA7BD7608BA0D9763596D8C70DF9A,SHA256=798F1BFE01DC4310615C389347B586D8374CF221C9DD9EC2D89E652401742CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:17.091{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10EA0AA8610D70C2A0A16567A3EE344F,SHA256=5893084B3A68CD352B6FC2DDDF3FE47225F87AEC586892679E475B85C2216DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029429Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:18.623{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78364FAC78DA4E2D98059F6A392668C,SHA256=16D4537F69D3CEF53249DE21069A5D471BBA57CB4B195E82357373F1F06B589D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:18.102{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57C6388E41F24206138719910AAD3646,SHA256=CFFDEF9D6CD98EFE75395F2549EC5BCE649C034D06124D0F1DF0B7AA39D9E413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029430Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:19.810{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8BA289173381BA8A1733C819BBE3E3,SHA256=6E5E1816EFF9569AF179EF53F131E03C8DAD96BC3BD1DAED560BFCF906C5A270,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:18.145{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:19.104{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA46D6C606CE42659AB46517CF3587EC,SHA256=3B68EBE8F87CC2480DE9513D8F35C4DF538C096752E52376F8B67DC1D22DD0BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:20.106{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDD59F0429AD2C22A0DC04141A7CC78,SHA256=A136CD1F22EEC1B28F28608FA3065F3C0DD67C2860D78B9C641DDD126D49CF9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029432Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:20.982{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7689D610C07A2D7FAFA779445C54F614,SHA256=33169ECBBFD80219EFE8860ADFBF5BEEB1E1155BB2292BAA2D4503721B434E0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029431Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:19.051{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029434Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:21.435{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029433Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:21.044{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CAB60839E3CA1E8DE46C9519CF3B747,SHA256=956517F125E89A8258BCA036537935E71C129AC95501398FE857CF728B4B7EAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:21.768{43EB4363-37A5-60F5-0B00-00000000E501}6247612C:\Windows\system32\lsass.exe{43EB4363-37A2-60F5-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000066820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:21.667{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:21.117{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=852C1D268B59D7C1B616D11EE108C242,SHA256=7C5F1E5278B47C9922184FA3C55D4D17894A33DE6787137BD57BE4F41F340F10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029436Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:21.301{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029435Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:22.279{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63FBF41041998314AFEC208E87C72D6,SHA256=B80E996E775FF289FCB31126EE4FB102644F529683770F3B281C08698C5156E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:22.780{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78AD557F8096CD0A3CCA17844E8CEA67,SHA256=8D5145946DCEC65346627A6C2B6C6DC5B18CC6D3CA24E50FAFD5AFDA86055664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:22.780{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=821562DA78DC76AB8360839D628A419D,SHA256=9781B8227D95207EAEF46DB56CFB1284D7BA5EAF7FE961A33925F0F75F9699FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:22.129{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD46C3FCAF4C66DB406D7B05D687693,SHA256=A7D7C91B1A74C635DDD6A539C51BCA98CFEA84E79F0E00B8A674D8E1B4745F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029437Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:23.518{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF218267F0777E8E6263FF6956F5107E,SHA256=42AE58E3412F1587DAB23BD1AEAC0580434333298CD3CA3C090CCDBAE4829908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:23.771{43EB4363-37A7-60F5-1600-00000000E501}12723336C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:23.771{43EB4363-37A7-60F5-1600-00000000E501}12723336C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000066827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:21.702{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65173-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 354300x800000000000000066826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:21.702{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65173-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 23542300x800000000000000066825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:23.144{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA68B19FC2B63E18CE513C9748CCC1DD,SHA256=8261479BC8342DA8906D5D919BFC7849B303201116537AED2958F5FAEAC7A85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029438Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:24.737{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7964AB5E22096CB43A34930660B915FA,SHA256=6CFBB151BE54E05C58993FB23BD217FCF4312E8AF6A98B5910E1B1F529CC9C84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:24.732{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=12D5E3360FC5CFF47E3846B5DC82FDA9,SHA256=0A442A6AD102521E7A4AF62CBF7474A745AFCD05FE20AE4EB4A5A1801F288CE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:24.151{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED9615CED30D3481B30D9216F3ABE902,SHA256=B332D781831DAE14DE5B810014A9B7F84BC82E23B815D10329E5CDDB081FE918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029439Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:25.893{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE97873519232338B9F9EDE135862ADF,SHA256=8A1BD0E0FF79E86FED733F2607F07AD5441FA410D3A3214A64CC0C4EBE5BCDD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:24.146{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:25.153{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237E45E44A2ED06F081A6F6570D8DD59,SHA256=B9708E4D4A5DC8D4BF308E79838E157509A3B98E406213CE50CEC96466869E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029441Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:26.909{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53ADA821FE43C3B759A2EA1F3EEDAF61,SHA256=9DAA04C307BA8890FF7E8F6D95841801A68DF2B4276D1F236C2AD2BBDCD53DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:26.165{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EECC01558D88B71585AFF52724FE34C,SHA256=B10E71FB117A1DDF888D15C18B8859CD30676750698F2A59B7CB8327821463DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029440Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:24.946{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029442Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:27.924{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF68CEF87D8E9F8E3A6923537A6AF7E,SHA256=10D37EE96B0B29BBB9D54F9E55A48FCFF60B17EB47C32EE8DEBBC9889AF80325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:27.167{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CCA518C76AB486376A62FCEB522386,SHA256=93804734E3B39F80232AD03EB7ADF61328972A676FD849DD779F4F662DE66B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029443Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:28.940{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D88C4E03DAF5ED336323F1B3D4359FA,SHA256=7BE9C1C6E0832BC6E3700313419E5906A7F395727618B6E43A38FEE19A1CA1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:28.179{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDB2AD650900068D3321EE055EFD7988,SHA256=E7BBB2E17EFA17F9F10274677A11FAA9AF3CCA2735A7FE7534AA2967EFBC39CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029444Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:29.955{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E64FA19CCEC2D71C417E79BE73927DC9,SHA256=7439EB3A4E328FDA0D66FB4F634150AD96BC21F1530ED0DC8EE6A5F83007E7A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:29.181{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB8E0304A6274D0E9D9B5AEA5D38B2F,SHA256=FE2130BA43BF8027720EE4E57CF537DD6FF26EC5DFCCBAE50152BC983918038A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029445Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:30.987{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5F0B757BE6A1E1F6C28E4E20B1FAC4E,SHA256=B9EEC1812E25A54F5754FBC694E00697B9D082DB61A4457B892078C054A6DDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:30.192{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B91CC304F4750AF7FB60A210002BDC,SHA256=1ADC942C7035F38DCFC4932243F154DA85AA49454AB90281A78CBBC4CCF787B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:30.105{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:31.194{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98023068CB0F210AFF35CF5B8B4FB8E1,SHA256=C64D36B673FD0476DF5826B6D98DE2A539007083D10B18EE826EA3894D2F9316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029447Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:31.566{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A34431D2EF94799A72D4B37E3157550F,SHA256=1E2FAC942EE73E7B18E4F0F3BA8BB3997E5BE8FC2378B7365B66D27AE3181D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029446Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:31.566{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=70E63BD745481CCED2C1B2EC5C948198,SHA256=60FD9C5D0C176BBEDF175E8CD295FE54AF8F0799A690686AC0658FABF1B28169,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029449Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:30.134{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029448Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:32.207{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32806C1F7012E4041360CF677BE9DA7C,SHA256=F82946B82F0AAC5453B3661691B459C39C8187BF4D761E5CA9AC9652BAFE0A2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:32.585{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=8B7605CBF1E1CE7A082394798CE14303,SHA256=4364C843DF842C294ABA17C6B94330CDB7BA221EC48F15D0BE04F2D18DA28DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:32.585{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=1AB790E65A400D2EA9C2E855FCE9AE58,SHA256=E8CED408C715BC130FE42C64CCDF2E40D6862CBB74D23303DFCFDF3271C39596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:32.575{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=0ABCCF29603DE310983E0CEC06FA14D5,SHA256=8E10F2EF1B2F45843B24456F64241238377E09E109BCAABB8348D22CC1461A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:32.575{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=2ADE46E689858C112C1989112DB2C9AA,SHA256=ABECC5066A7D6DDD4DBBE8F611CEC004B77CCAD5E390D47CCA95F0BD2EB5A1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:32.575{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=4D9860AB75486C1FE54C43963F2F5A5A,SHA256=F706572F8AE482CC67A3390B634D409DE3C7800B3368F845711D62FB3EE1E8EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:32.575{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=F043E73DFA7D4D7DB772C5AAC9E2C151,SHA256=8DED584664E13BEBA33BA07D2836A64747E378546A2AEF7CFB9673E2A3C5DA8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:32.194{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CED1679CA0AAA79C848FE3C5B9E0452,SHA256=0900E92413B3EDF03A9C72498701B03B0FDEA5968D222EA5E206BA95EBEF3E5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:33.527{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2B8E40EB469E92B6B1000DADF831C97,SHA256=6E87559FFE4C8EDDB568570FB6424C83D204792706FC17E93EF480D505D7F647,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:33.527{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78AD557F8096CD0A3CCA17844E8CEA67,SHA256=8D5145946DCEC65346627A6C2B6C6DC5B18CC6D3CA24E50FAFD5AFDA86055664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:33.205{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B75B3B407CBD694ACCDAE833D5A610E,SHA256=31B6BD9E2E8C7BE6FBB805771B91A85E7F276A638B8F8B4D5177741FD36E59FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029450Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:33.282{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD45AB56438564C9F08C860582D10AA8,SHA256=F77E072990C8BCBA6D25E0D1C27B49DDEC7712F215728370EA3C8ABAC200E84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029451Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:34.316{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A260608811EED9BFBCFF3EA6922FE3B,SHA256=850D4435985C715AEA7C835B2E8ADC22F7F03793E5A2995C963A255E45BA4AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:34.207{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F74005EA05B05C2AC32762B5F816446E,SHA256=E71DC804029341CA8A36DC704E897CE3BC6AC3813F0FB68642B3C960BAC148D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029452Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:35.425{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D2B494FB4DDB011F83AD61D681C941,SHA256=CB2707699C54486A209CC465964A45DA236BA7B2FF65C4B10D102E263391B60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:35.209{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A86702FE8261F3208664431FF573BF5,SHA256=0B986778805ABB2C9D852DC591674F59857DEF5249FDB7D614AE6E3426301791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029453Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:36.441{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A885139581A59C564C1BDAC678D5C7,SHA256=08910C7487BEA9BE9FF76F96E1D92A945F0877BA4AF513E94CDE51AC8A76074E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:36.220{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06D6204F4BAED264F3E1DCC1D5369745,SHA256=71F6453A8A57A4DDC5AEFCAB5A9FAD63BCB199C681D4770592F3EA56DC5571D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029455Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:35.994{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029454Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:37.442{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14CD9F019C212FA86B4899FA1536D904,SHA256=39FE472ECD88C68F04E8542FD084DABE8573FF54BB9474F9575DCE0FC78DD105,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:36.073{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65176-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:37.221{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3896B5E221E6E77F2FD76C31E5CBCA3B,SHA256=4F1F14E3493ED826BA0F5DA4701D0303188A631DFA631804B2232F765E4AC0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029456Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:38.660{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0A2D6A7A1B56356EBF4E18D2C318D9,SHA256=436866B16A0A41E360B86C072B5CFD49A51AB986E43CA0B40ABE682AA5270691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:38.243{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37A46EC31096F7AE8F8F1336E05B2A2,SHA256=5183ABF6E85EEC39A0A995A58B2726AAA51C520522E6111F419FF6A51266AE79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029457Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:39.675{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E2FEA6F91B61540606DD5AECD90FC12,SHA256=3C7FC8D655833E8777E7503F7D2213EB415F22BBF625D658F611A816B0A9A0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:39.245{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7ED1102B22B75FFF2F2B3ABB471454,SHA256=A61C2BFC59EBCAC5CB2F85F190F46324B2AF6B02372BEC375718A5F1B7A392A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029458Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:40.691{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84402985250DCFDBBD6FFEF9AFAD7736,SHA256=A60B06A43F4AF84176D1A5C6AB77648DC15128BFE69FA61AFD6F4F07A9334D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:40.246{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48615A237AF469921E3EED388CBB3175,SHA256=5EDF0D09D59FEBC2C0E9CCF80B4851A3EAB2D253D490E1C93737A6B33413A716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029459Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:41.706{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362E88A36894FB8111F8AFC59F917B35,SHA256=436F2ABDF0A6C4FB94F5E7F46A1A1C9F4B27962FE9AD76C0FCA629E71A82712E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:41.270{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE5D6D54644109D48767D320689BCA0,SHA256=F7A2FBF8DC9EA1AE2D06A92081CB1A3CA102B2FEAEDAA2BEE8A5B4261DFD8676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029460Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:42.936{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBAE744607825BC750632B6835BBDE2C,SHA256=8074B3E930348FD46D45A6495CF170F3A0FB4478A16D6294FA13758B9CDDBFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:42.609{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=8D529C7CC83B9C6C0C031946FC648CFD,SHA256=130BEC3D3D5F1F5D6775B10B46A8C1CFB29385D00887E05507ED80474FD45002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:42.609{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=5E78D2B6CEDEDB504F18F78D09B715B9,SHA256=54532E0F9353C634AB3DEF5D560F368380E9B3A09A285CB67BCE1D4EF6D46628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:42.609{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=0695974E79950AA70BF66D575A224A03,SHA256=CFB5AB4E77B306B150A75D4CC6488AAC41552FD6CFA4E4A0F074F3224FB03C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:42.609{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=CD043A0A12EB7A3A30A6396B18868EA8,SHA256=45710F5DD37A131AE854C4465545ECDFE1985B4475B353058964B874664336C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:42.609{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=6A311FDF91466613EB3774AF640C25F4,SHA256=7C7717C8E1C8AF0D94ECF73C71B87843E4AA4230344593D5B948B8630694A8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:42.609{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=7EE557C46BEF4E15B123FD0201523D38,SHA256=5081620916C8F3729555E6B2E083E1332F65653FE039B15DD97272A16CF8E67E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:42.371{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB3BC5D55A3D1D58067DE82E96000C6D,SHA256=FE9CAE1305955A5A20F487BEBA162BDD75842A25DB0A911643B48D7FEA512118,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:42.071{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:43.390{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D377D181B0F6053BF87903AEB3CC4C40,SHA256=EDE88205A1B5086EDD37C09DCC35766E10596B92291479C2C68DF2537B22B78F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029461Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:41.947{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:44.402{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66676E3C52460C2BFD898A46D8E1EAC,SHA256=EC1DAABC47D24A2A7ED398947AB6F9B529D3DCDEA1D747ADBD5E77D00B0D9C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029462Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:44.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAEF3607EF3B776841EC73181D4C1029,SHA256=B6D4F8CDC5A0F6D47CFA781B1C4B6ECDAD3FE477305D1EC6CAAB8AFECBE86185,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:45.454{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDC37E47B3A01F61EB488CC8A65B9575,SHA256=419571B37C31809E21F72E1761BE84C58B59E9A9346A94C0EF0DD323EF1B9890,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029463Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:45.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358222F3180307786F3CA71BC1044AD9,SHA256=B9CA20A0C044A70A4120DCB02CC6AC9BD7219C69EBCA1AF94BCB0B4C08A9D1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029464Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:46.155{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B31B3AB2B1BDB86D4FA9DCD56C59FB4,SHA256=DA70E62EE6856ECE5D8E3BD06A773AFD40668E2F06DED245D02A157218AC9931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:46.465{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E50A97D03E3F4CF45E66C4E439EDD653,SHA256=C94FF03051A8EE1C3D463665F0CFE3DFEC20451F3148B9FF4D0AB0C662F7C301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029465Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:47.389{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99253F1FC78AB67E0CC770CB0BD56C0,SHA256=ECC06577819972C89149ED053DA8FCD3956222B0782893A61967797552452A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:47.467{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39B22B8EB4BA08336CAF5FD3EE695780,SHA256=1D2D41329986C8A113E9DFE4E32142E1F4680A1E452A87B2CC6D11256CBE6DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029466Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:48.623{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD7BD96FF7283DDFE9BB2769569E2CC,SHA256=029C733ED5D8FDC397D8A0903BE4AC82A37A5ED15DC15A0A3F59F58F231E94BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:47.149{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:48.468{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A6E1E6BEAFEA20A7A646E3956C2B15D,SHA256=1BACCE5C20CDEE10B2F5B73C0B985FAF69AD713FB27731DF6A2AECC9B36A4473,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029468Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:47.927{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029467Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:49.623{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2CD84FE5E72A813F6AB6D1C1C0CFCBE,SHA256=494EAF1DB8671D8605C683599F8CF63F481683FF95C7AEDC8C381B92DA734012,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:49.483{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB50B6C6EC6118FEAD265C3314E697D,SHA256=3EBFD007C4A0D32C0429A5042E8851FC8B8414B3AB0B04A84287F5D4AFAF0EB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029469Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:50.858{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1BD9917D665EFFB6DCE581350DB664C,SHA256=DBF3F2C10DC72D7B386533D06A517B4087F0B406ECD2E7665A29B76E0073A52E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:50.683{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56134FC176150A0214E1DE88D332ADB9,SHA256=60F7DDA4F251501958D76C984DC93335AA462D1A290FC54A0CCEAFD0FB6F6BF0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:50.501{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5892-60F5-D60C-00000000E501}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:50.501{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:50.501{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:50.501{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:50.501{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:50.501{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5892-60F5-D60C-00000000E501}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:50.501{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5892-60F5-D60C-00000000E501}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:50.502{43EB4363-5892-60F5-D60C-00000000E501}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029470Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:51.920{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99460D37DBC35EB76EB20FE6DFA433B1,SHA256=E13010352DDA163AB901D12D64AEE885E483A64E8683372455DD9C40F73A11CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.994{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5893-60F5-D80C-00000000E501}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.992{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.992{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.992{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.990{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.990{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5893-60F5-D80C-00000000E501}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.988{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5893-60F5-D80C-00000000E501}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.985{43EB4363-5893-60F5-D80C-00000000E501}7712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.513{43EB4363-5893-60F5-D70C-00000000E501}56207228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000066926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.513{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB88896C88C4C9174AADD34820EAAC61,SHA256=3FFC9FD91DB74E070993870C23F0E5A710BEAD307178F0652A3E8D9E52EB7196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.502{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=176C3EF02D41039F239D853C5D09C2BC,SHA256=E9004BE14A25A3AE4D99A3CD02F200538DC827E5DDDB2EEEDD572B25029AA294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.502{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2B8E40EB469E92B6B1000DADF831C97,SHA256=6E87559FFE4C8EDDB568570FB6424C83D204792706FC17E93EF480D505D7F647,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.322{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5893-60F5-D70C-00000000E501}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.322{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.322{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.322{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.322{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.322{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5893-60F5-D70C-00000000E501}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.322{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5893-60F5-D70C-00000000E501}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.323{43EB4363-5893-60F5-D70C-00000000E501}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:52.991{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=176C3EF02D41039F239D853C5D09C2BC,SHA256=E9004BE14A25A3AE4D99A3CD02F200538DC827E5DDDB2EEEDD572B25029AA294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:52.537{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7AA2359C9B926403CA1BF6548D095E,SHA256=3A572D23E6C353715FF802CB019E4D40BE5B7340FE126EDA86D1D61FC246B4DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:53.539{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC8E69645870A26F3AA596647490287,SHA256=25D09E61F1543228F751DC90E41E2D6106CBA7D6EE2CFBDC20D1F966CB33C975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029471Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:53.139{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F789E6DD1D25FBD0CC213D2FACB18D2F,SHA256=6072DFCD5CEC2EF96638A1AAB56C959398C2367545356F69F7DC6FF657389CE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.311{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-876.attackrange.local138netbios-dgm 354300x800000000000000066938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:51.311{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-876.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 10341000x800000000000000066964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.893{43EB4363-5896-60F5-DA0C-00000000E501}57167960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.699{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5896-60F5-DA0C-00000000E501}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.696{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.696{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.696{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.696{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.696{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5896-60F5-DA0C-00000000E501}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.695{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5896-60F5-DA0C-00000000E501}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.694{43EB4363-5896-60F5-DA0C-00000000E501}5716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.683{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1002ADBA1C36182F0A2AD7BD58174E5,SHA256=5EE55C99FD6D46CD2C74E16C1BCBB640C53106AB222B56660F12ABA77478A4F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.553{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2745D75D5093FEA145E9B12185596FA2,SHA256=80B6B1EB5E3CF8B1AFF1540387E7FF54A910472165AC6ECD8C4987B008E324DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029472Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:54.233{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D32166BFA7BD062E90AF10474FCC9DD,SHA256=6EEC6B64B62E85B99DAC41D7481F7E14C212A1DDBBD23D537B7FAE9709A7DF8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.252{43EB4363-5896-60F5-D90C-00000000E501}73086060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.161{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.161{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.161{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.030{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5896-60F5-D90C-00000000E501}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.030{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.030{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.030{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.030{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.030{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5896-60F5-D90C-00000000E501}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.030{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5896-60F5-D90C-00000000E501}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:54.031{43EB4363-5896-60F5-D90C-00000000E501}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000066941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:52.169{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65179-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:55.716{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14A57A80B5A1236E4329F0F6F6FC2408,SHA256=4EC45C4821AB16AB1B1D5F503A11607B0B23D46E4A0F0F2A64BBA7F909F2907E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:55.575{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E86AEF896DE0451E580DD9DEE2BD8EAB,SHA256=8C7839018EBDFB7DB27108739C204059B761176F679B35F6BDB880390F577261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029487Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5897-60F5-1E06-00000000E601}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029486Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029485Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029484Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029483Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029482Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029481Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029480Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029479Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029478Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029477Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-5897-60F5-1E06-00000000E601}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029476Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.561{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5897-60F5-1E06-00000000E601}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029475Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.562{53AF6CEB-5897-60F5-1E06-00000000E601}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029474Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:55.295{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DB01CE3E4D558BAB786582660F98173,SHA256=DC767414D9914E21B2DEFBE061C249C97AF9CD627229B5D71B6FC5F761480F40,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:53.613{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65180-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000066965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:53.613{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65180-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000029473Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:53.005{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029517Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.889{53AF6CEB-5898-60F5-2006-00000000E601}17482544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029516Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.780{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=774CA76A3845673B47C41AFB2C3F885F,SHA256=8D8704E95FF1C0D5C1903A4BE90D09D8A94A7BEE5994829FC558D981285D8AB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029515Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.780{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DFBCDB38B1C0304E9D2583457896082F,SHA256=335F9C84A77F9D1AE05DE8EB71D2BABB25A0FC8476F7C9D27D0ECB5E201D0355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029514Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.780{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36194284A22005BFFFDF4E6F5DAACC0,SHA256=78AE7A329F52EDEAFAC311C34E1DC092B57CC7F099EF18049D385B7E381E0EBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029513Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5898-60F5-2006-00000000E601}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029512Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029511Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029510Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029509Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029508Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029507Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029506Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029505Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029504Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029503Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5898-60F5-2006-00000000E601}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029502Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.733{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5898-60F5-2006-00000000E601}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029501Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.734{53AF6CEB-5898-60F5-2006-00000000E601}1748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000066985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.777{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5898-60F5-DC0C-00000000E501}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.777{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5898-60F5-DC0C-00000000E501}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.777{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.777{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.777{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.777{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.777{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5898-60F5-DC0C-00000000E501}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.778{43EB4363-5898-60F5-DC0C-00000000E501}8148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.577{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE19E3F346CC63D22742B1EF01345B0,SHA256=0F444C27ED1A4C237B4CD181D9745236E1D1C5EF1178B2CBF37D299B532A9F23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.102{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5898-60F5-DB0C-00000000E501}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.100{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.100{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.100{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.100{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000066971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.099{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5898-60F5-DB0C-00000000E501}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000066970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.099{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5898-60F5-DB0C-00000000E501}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000066969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:56.097{43EB4363-5898-60F5-DB0C-00000000E501}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029500Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5898-60F5-1F06-00000000E601}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029499Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029498Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029497Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029496Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029495Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029494Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029493Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029492Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029491Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029490Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5898-60F5-1F06-00000000E601}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029489Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5898-60F5-1F06-00000000E601}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029488Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:56.233{53AF6CEB-5898-60F5-1F06-00000000E601}1464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029534Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.983{53AF6CEB-5899-60F5-2106-00000000E601}9521964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000029533Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:48:57.936{53AF6CEB-39BF-60F5-1200-00000000E601}972C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d77c8b-0xad3b9199) 23542300x800000000000000029532Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=774CA76A3845673B47C41AFB2C3F885F,SHA256=8D8704E95FF1C0D5C1903A4BE90D09D8A94A7BEE5994829FC558D981285D8AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029531Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5899-60F5-2106-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029530Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029529Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029528Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029527Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029526Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029525Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029524Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029523Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029522Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029521Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5899-60F5-2106-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029520Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.811{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5899-60F5-2106-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029519Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.812{53AF6CEB-5899-60F5-2106-00000000E601}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029518Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:57.780{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E4AE1EB5C3125CB348C420EE191C34,SHA256=17AE7C52E296678940D8317C1EAB3AAEFFF6CBE4D09C32F932A48A1FC82D2D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:57.579{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BCE73A6AEABF6FB958EFA2053E039F6,SHA256=0B9CFB8CF416FB3701C7A99976C9DE910166A424A6EEBE850B877FC9F0B804E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:57.103{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=594EC2FDD34FDB22BA98EFF11559A129,SHA256=BC6375C058D162A3104D4F8DB68C0727D191F5BA6B990ECF75EF224CCD616604,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000066986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:57.028{43EB4363-5898-60F5-DC0C-00000000E501}81486900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029536Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:58.936{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72458596161B45DF6A3A76D15F90D9C8,SHA256=670AF86B6F831CD88930F650C00F8B31D6EA555F3A82746B636AC6B3C12BA988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:58.580{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6580D3B02ECF36955A0F21FE5A739E,SHA256=93560A1D4AE04756C24FD06A0457F2680423C38B718BA3012B910FEF39190B4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029535Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:58.827{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1747907A6D4F5E30D299A7876EF3224F,SHA256=9C6EB9FDA57FBA663F21A7C5FD015F98E6F2242C4BE59D2D1483714E0CE7C80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:59.582{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8808DB6DEED5A33BC0D02D388ED3E487,SHA256=C6AE5556951193B4F64B80FC933956F55B6AE668B95301379D320C7610FBA40B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029564Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.874{53AF6CEB-589B-60F5-2306-00000000E601}29603872C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029563Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-589B-60F5-2306-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029562Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029561Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029560Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029559Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029558Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029557Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029556Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029555Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029554Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029553Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-589B-60F5-2306-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029552Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-589B-60F5-2306-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029551Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.702{53AF6CEB-589B-60F5-2306-00000000E601}2960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000029550Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.186{53AF6CEB-589B-60F5-2206-00000000E601}29643308C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029549Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-589B-60F5-2206-00000000E601}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029548Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029547Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029546Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029545Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029544Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029543Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029542Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029541Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029540Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029539Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-589B-60F5-2206-00000000E601}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029538Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.030{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-589B-60F5-2206-00000000E601}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029537Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:59.031{53AF6CEB-589B-60F5-2206-00000000E601}2964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000066992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:00.584{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73172091CC0E7251A4D03DE2F3E3A507,SHA256=98ECA5FEDAFFB03AA87E55F2D426DB266390CE422F8FEAE51D25021DF324FBD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029567Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:48:58.114{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51299-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029566Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:00.202{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CF309C20B0BE71A5E8D7CE8A41C02E8,SHA256=5B4B307D38A4D24D67E4C2F9AA10B144ED71686B6F83DA33286701D59C8F6C57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029565Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:00.202{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=416F3A5F8E36A444FC07F5442FC63991,SHA256=FCEED597F392730E0EF981831A7B346C9B7A22CAA9186EB30BD11094E03FD0BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000066991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:48:58.142{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65181-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000066993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:01.609{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21185816E9EE0388CC5B854767E999F2,SHA256=195E14E9178D740107E29FCB54B9F03396FBF54CD3ECD0474B55DED481B8E3A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029581Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-589D-60F5-2406-00000000E601}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029580Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029579Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029578Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029577Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029576Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029575Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029574Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029573Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029572Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029571Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-589D-60F5-2406-00000000E601}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029570Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.342{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-589D-60F5-2406-00000000E601}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029569Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.343{53AF6CEB-589D-60F5-2406-00000000E601}1692C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029568Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:01.312{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3276350F7A7E6E749DA8404EF23C02F2,SHA256=52D7AE6F5D555500D083ED37E2D7A531A9C0480E3BBD9C7093AAAB8F66319FEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:02.628{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1764392C8A673CD8E610FB343096C7,SHA256=D5BDFF34D9F60A1E5C6DD02A48D99B2BF1C737AE099AF62A4E1EF2E26102BA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029583Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:02.358{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C72BA23E19E2A778D8EF0562F24315,SHA256=83297EB4AAD8237FB0F6BB763F9BE871BD0432BA4EC1963B3B9B4A3C632F8B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029582Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:02.327{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA11C98F9D154A0262F41D64AED3CD8E,SHA256=DF2FEF028DFBBB4F050BEB14F66BFD554F591590AA4DEB6F065A6DFD2E81EB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029584Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:03.331{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A5AFE7757A662CE1B5EFE6E206ACD17,SHA256=5B735BA9AF4034D8CBA6F7B0E1F4586D740EC0A3BC0C32C38E053F2E5E163168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:03.630{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D769F428E1821D9BDEBA304FCC6A9DFE,SHA256=BAD7B175180FAD868146BDCF6C1F8D176E55100D7CD1698AC9CE86D74AD94D77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029585Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:04.565{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D668DD41A217078B21ED051C2CFEF1,SHA256=812EBB1603CA4F885466FBAC070E44D8A8AE49CB4B34491D023259474B1DFE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:04.791{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:04.631{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C81E8E18AD57817CF3060BED79C098D7,SHA256=8866B9EF6E7840028D8346A72AADB1D9EF505CCC02ED1597D46DB03F072353CC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029587Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:04.087{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029586Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:05.612{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E893B544401FCF5B7BCD4514D0D8292,SHA256=69381555CA830D13B156D6B23BA640F54FA2729B5FCB605207823210F50F30B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000066998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:05.632{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DA19C7817DBA51819898F2892DE825,SHA256=7744E0DD4D668842678B2E12CC3394EB7DF1E0D12FD1C8C7B70BE0287BB8AA70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029588Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:06.847{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63967DCDB01BE924D374268E3B74201,SHA256=4F612C1F23665EDC43F5520C8C69D93812EE5F6333E2263347E53E689667BB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:06.674{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25412D14419CB34CA956BAC619476B8,SHA256=0370CFC7DF02CAE78064EB3CBECEEB277D4AFA8BE3AB1FE56B893FCE38727D18,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000067010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:06.464{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000067009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:06.464{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0080ec55) 13241300x800000000000000067008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:06.464{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c83-0x504b0151) 13241300x800000000000000067007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:06.464{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8b-0xb20f6951) 13241300x800000000000000067006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:06.464{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c94-0x13d3d151) 13241300x800000000000000067005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:06.464{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000067004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:06.464{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0080ec55) 13241300x800000000000000067003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:06.464{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c83-0x504b0151) 13241300x800000000000000067002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:06.464{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8b-0xb20f6951) 13241300x800000000000000067001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:06.464{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c94-0x13d3d151) 354300x800000000000000067000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:04.704{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000066999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:04.113{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65182-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:07.685{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3A6FA6D6EE0999A906BE4EF279259B,SHA256=576F26F485EABC12D680CAFD9414BC60D8631A68C63E169F241F6E3E0EE764F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:08.686{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6339B181BA9F4EA1C1366251C652010,SHA256=9F9E0F8E4C9D333368E2F4B7A94EC0AADA81F1A4283CA743C005297662E6302D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029589Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:08.081{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C190602B42289B79EAAB3A604A0C6088,SHA256=18603C27100F4FCFD4639B08DC22A7B654BE71123089ECB7F79733806B5FE859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:09.688{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058081CB213AF142AC1982B54AE6EC07,SHA256=19E33F95D9F45DE2A76F7AE89C7572281427B82CAA8B9243E8A91D873A183133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029590Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:09.144{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EA54877B37BC02FF4B5B4EA282EE4D6,SHA256=783DAB18FFCB3876767509EF85BE58228108491E6BED7159E060DA1B86BA8C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:10.689{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648D6430FFEF5C6E9760D80F76FCA095,SHA256=62E7699AFFF30B859DBB7223ED9D5A67F79CDC160E185DB200529390D8053B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029591Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:10.362{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88D8BFFC49FDFFBBA1AAC58D2798AAA,SHA256=01A0AE8BBD2ADCEAACD24AD563967EAC31C542A4558CE65FC416D301D8283907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:11.690{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98634D79E1F3BF6D32A08BE60E7B1D18,SHA256=D4DB26141390D0010A0465DE5088D9344FFF7CEB6CC1CFD8B2501D44E2D31074,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029593Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:09.962{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029592Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:11.425{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D7FA71D8B49727231D4BD5DCF6A67C,SHA256=4123969E30FBED91D19EB8C489B46388B66A5848021DEF64F2C3332E7478BB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:12.691{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5117C420D9F1D920DEAD3090B2D0FCAD,SHA256=49AE5D711623E9616FD8713EF974EE34221D874F803886443A6D4C24264DA8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029594Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:12.440{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA585C1CCE593118DB40F0D9AD2C532,SHA256=33EA9FE4FA86347856E74F444B4E7F5152AF25CED67BA8F170FAD407862F527B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:10.111{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65184-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:13.753{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE88A2ED8A6302D3094EFE2B9EF8F50E,SHA256=7949CA49B6F8F21C3096C4A08F845655AA9AE238B48F471B89F0E3BDCFCAD6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029595Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:13.456{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDE022F986D911EA0CD324A696FF937,SHA256=A074EDE1762C252D94A45749CF85FCB45E5ADF4A16EEE528771DD0A5737ABDA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000067021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:13.412{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000067020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:13.412{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\288C719A-D921-402F-93ED-77A6E8F040BE\Config SourceDWORD (0x00000001) 13241300x800000000000000067019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:49:13.412{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\288C719A-D921-402F-93ED-77A6E8F040BE\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_288C719A-D921-402F-93ED-77A6E8F040BE.XML 23542300x800000000000000067029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:14.764{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=525573BD1DA00C3B23B435D186270B36,SHA256=5F496D4849FF663D37F30985327F8163CBC68643BC997EF2C061578A09EBBCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029596Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:14.456{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85EC8C24E91786F6F5A9C8B72689C5C9,SHA256=438C5AA2ECE3467349F1FEABCD0646309DAEF0673F1AD5D2DFF62F8ADC337440,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:13.354{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65186-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000067027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:13.354{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65186-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000067026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:13.336{43EB4363-37A7-60F5-0D00-00000000E501}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65185-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local135epmap 354300x800000000000000067025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:13.336{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65185-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local135epmap 23542300x800000000000000067024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:14.444{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29BAD9AB1BEEE446441136CCB0E9A2D3,SHA256=0D44DF519853BF3C1F7DBC38E35E2840EA5B2C8291A4B95481EC5EAE34B04DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:14.444{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27943355872D1B974DABEA11C087AD43,SHA256=EACCE1A2B63E7F47C10FFA663F8E7CDBDAFADCE9F0B74B069FC3CDDF227CE340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:15.766{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B236C46ECBD311BDD4C1D9F78618CD2,SHA256=136407811198662B449C62336C91ADE9900BB443E2C0DD5543A66DFF495B01ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029597Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:15.472{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB23C07ED9036D3BA3575CBEF8AA382C,SHA256=2EC75DF3143A62619E13E057E88A233B27F577D81F787B656D88045EB21A2010,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:13.365{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65187-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000067030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:13.365{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65187-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 23542300x800000000000000067033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:16.767{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D402C0000F65FB94EBD9A3CF76E44CF,SHA256=15994724FA9E5400B2C2B7885C1BFDF40F6B071613A02F7571DF59C5504363E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029598Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:16.487{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52F1188B9BA769B0E148915CFE0B9CD,SHA256=D0619EEBF04D9F0220EA14EBD61DF865FDD99A11A9708DB4905B48010140AF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029599Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:17.722{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBB45D1131AAD27EF6327865B84AB7E,SHA256=216979C64B02A0A68C73FA01CD60398D353142DA4E043EBF8FEC75BFF0295A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:17.768{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6E121EAF54C3661C9860A290F3DD19,SHA256=6EA39C4E5BD270C16DD5EB5670C30A4D156A3AA37E92600D8AB780C310FB3278,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:16.099{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029601Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:18.956{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5CD9793464A74A962E74E3D54D704ED,SHA256=CAFC5D2B7D87571CB708B6A15BF39D042AD88CA71E77E351160A150668D4331C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:18.769{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67F342FD36FA41F10C055EF7988EBA3,SHA256=F9E9501A4CA38E92D48A4019ADD5CDCAA73D5763296BCC7AAF28E22C54D0D952,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029600Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:15.930{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:19.810{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEF644075E2F9D584018B64970BC9865,SHA256=1F447798C542BBED1D14D74004D51D3A076857D1BD8B50A31030D680B62EDA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:20.811{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F95855A3E23D5F6E2E49A15C7F3C30,SHA256=EBC8D29274069E0F5BFE2B6FCE1A26B50A9329E46DA7E9899FA9155F355487D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029603Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:20.987{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=CABFB716B70DA680745CFE8104498E91,SHA256=E5175B749C7A5754B2EE9BE8D5AA5E5A6578A133AC949C6B4F493D3CA983005A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029602Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:20.190{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CAC28A8B3287B79053621027546B7B,SHA256=042EF56635A8CAF062FB72433575B6E6C871D51A37255342B36D24504827F015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:21.836{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AAB1A6291463D4B2CBFEE06A5B6D574,SHA256=E8D2FC9DB7A9614B8A8CDF547A5C7EC5DD8267FE060D0A5A0A99A390EADDA526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029605Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:21.456{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029604Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:21.425{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193FC17478DCC401D30F2F88FE6660CD,SHA256=6B346D1BF731E1FB4281E099727762EF8C5AFEC90CEB066ABBFA30D3096B4CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:22.864{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28255BCA860DBFEABD7620B84378322A,SHA256=694F1AC25678E6E7A35D138FC859133218CC37BAA42EAF22501036F0E1E0D5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029606Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:22.554{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186A5A53F8DE47E3B2EFCC4A133F9C3D,SHA256=0F734817F07D3759247679D46353E6187BF1D3ABA11AE7AF6B04B5C4B5C4D998,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:21.105{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029612Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:23.773{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5350B5177765D7784A5836A3979221B0,SHA256=7743CAFCB84FC2C9B06CCD2E992D0EC656C4103798CAF480BA205DBD5ADA1DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:23.875{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D397D025E999154F34834DDA932782FA,SHA256=EF3C693FB97D760FE781E33561BADE9FB08956BCF82A7E9E37BA332E0B24F6DD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029611Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:23.601{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39BF-60F5-1500-00000000E601}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029610Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:23.601{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39BF-60F5-1500-00000000E601}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029609Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:23.601{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39BF-60F5-1500-00000000E601}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000029608Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:21.321{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x800000000000000029607Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:21.118{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:24.876{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5B91D1262336EBBDBA2418ADEB731C2,SHA256=E294F91CBB151DE42ADA43A838D32F9360C2D6076C809BB0CBAE2FB8ABE09360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:24.737{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CD99244DC640CB6344E3944A9B866ADA,SHA256=D48394F755F67B513EDD98E3DB9D031CC2D8AE77FD60C14CAAC6751DD7AA0774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:25.878{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962A7944DE72AF578AE7C0ECEBEE082F,SHA256=E55400BF3343942662DBB402D914040D4F2A10C798189A174D806C48D7D448BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029613Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:25.008{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286D37727A7FB2CAFF884E8216D83F30,SHA256=B159D6D444D8E24B95078A5B8304313DA306F897DA028578CBF4C5CD654757C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029614Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:26.242{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60FA15B9A49272C03BC56A32C8A315B1,SHA256=2812B7148265EF57EBA39B8F3ED8516E415EBA62B59316B5D9F07BC00D05C900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029615Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:27.476{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442BE1ADC8E071DAA803E044F3B440F3,SHA256=492CA6DEA8BD1AB9E46B28808A8345BADF36603480CDA756A0882FFD6B8AE4B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:26.161{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:27.009{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CE6B7A3F2BFA42098A2FD120716C6F,SHA256=B53CDBF79BE6C207BDCF205BC9CF04E29475554272820BB4E1D35E5F6B052F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029617Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:28.601{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AB8D30BC61FCD11D2B4510AF6C201E7,SHA256=9B7737D83B2ACA53CBBF4A5EFC459A84081D0FBD7F11FAFD40A1E7E16FACE57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:28.031{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83704953A445C63F7814C56F525B1440,SHA256=EAF697ED43A90F056C33DE14ADED5AD76FC44A3EF1D2C20E729F9AB850C5E9D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029616Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:27.029{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029618Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:29.664{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8796E844C69608D234537A01F6E96825,SHA256=6388F2484F999E9215B3297E98718D1352BDEA86A4E526C2B0B87CC05923B1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:29.048{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D3014EB7388A7795B82755220BF510,SHA256=9FBC813F6F746B0278CF5E67CB21E584D9F16A177E4282A061349355F3F9922A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029619Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:30.679{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DC2070BAFE5DB711252202D6E7A0B8A,SHA256=DDB0E8E87A34F9073F095F50B2B194A965F5918B9EC1AF2A277BE87D31DAEE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:30.055{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3323A0C53E7DCA858B61005522377754,SHA256=43E313C3C10BFABB5E5FF392DCE6F4BBA7F17EB255ADE00D8F27A7A61DC7AE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029620Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:31.679{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87869D6236D32BC6ED08E7B1E5C34318,SHA256=5F887927B92C2E21F7E6DE94A8EC3CD346CB267EF7453CF6A28C0BAD92C66219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:31.068{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B916D6F73B2DD89686A48ABBE6097E,SHA256=47F5449DF8B2382ED75C175E80394D4A077D62D001F18C13F84824529404B3A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029621Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:32.681{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA1772A5AB02EA2528EC6EEDDF637E3,SHA256=923B503CD2E62CE96871004774178654CF6977F4472B35B9A8760AFE66C4C55A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:32.078{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7618E5A8D4989AE1F3A495BCBD2BB9,SHA256=4B37A18919DB221FC719BBA17556EBF4B64F09C3DE83DA8A2E9392E04A345B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029622Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:33.771{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC041E745E9D64A8259BCF8A2E621CA7,SHA256=B9F1668D4412625F328CC51E98BA97177FB35B25DA002D5D84830D0CFE8ADF44,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:32.141{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:33.091{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB8E98D989897838BB60F58E440D9AE9,SHA256=419C6A64F56201683171B2BA6590620DFF72D7E8DE19D02AD8F2847A511AEE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029624Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:34.786{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6064D8942572A04BFCDEE21C2BD3EB2,SHA256=7D6EA2887475BD3E68920E4C7BD7512CE03D685902F08C90B40E1F51F0BDA3DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:34.093{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2354F8EDFC81B8789DB5039E1FA5A77,SHA256=AA662BDBE7A82169B3B5D1696C8F80FE16179A566D93826C6016630691776B6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029623Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:32.123{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029625Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:35.802{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D81DBD425556440A9ED6FCA3DC331C8,SHA256=4805256A93EB5239EFBCFC993FC47C01C5D8C10E4CE47D582AA3592C622DC7BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:35.094{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA0517EEDF15A603BB95A7110EE66C7,SHA256=386BD765D568D6BFB2F758F3064339C78B487B2E3243BC4B73078B7340F1D03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029626Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:36.817{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=799BF9C1C2055E81799E947C206D3843,SHA256=8F3C8BD8807DFAD4902AC4BB8DB01D8C4913699B6BD066D60B0D8372BE6EF4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:36.105{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9A04C9548AC4BF3B0E9D8C4E87863F5,SHA256=6523342D2EACD32C474F17DDB60A0463FB20BF7655C422CD92A4038FF4E7497F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:37.107{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F5A9E583AC6027C40DD9382E209CE6A,SHA256=AE507DDB8C045F1425525B4F083BE6F8A53C26E316C62F63AB5399023F267E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029627Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:38.036{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C562A371676F5346D554FD4EC6E3FE29,SHA256=5F60269B8D2A5A9F97FFD9ADFE69B893B97F54609E026011DD8ACFEC7645A85F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:38.108{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5DF65E65E541BD89A80C9A67D79236E,SHA256=A7D50FA17A968F279A2C377B03EC8D0551EBD393849589C67A2AAF826FA0D83C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029629Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:38.073{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029628Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:39.145{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33399C70749C5779BC1A68F42B637E2B,SHA256=F756EF27C2676C5DFE5B71DEAF7FE1BCFA53A61BA2F68F62A4F6BB3801352FCB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:38.121{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:39.119{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709223A7AFDF6334662A2568BA849BB2,SHA256=16DC82F8D1842042F62F28B2AF9BCA4914A2325272400B1D247F7C8FDE622402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029630Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:40.380{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A1B66288FE54D4115F1D429AC6697D,SHA256=562F2DAEA76AE1189A909073D4B721D0B685C09F9A969A7AE2B25A7D6324995B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:40.130{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2327E1AF3352DAE9A4DB371CD89E53B,SHA256=FA7190FFA77ED4B161899CFCE80552AE38B542A338645F33656D4FF435A24C68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029631Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:41.599{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0050B2BF527A1C53A0202988EC84B328,SHA256=B7249B1602EF76EB3D145A6C6FB4671683A00B9497E389CAAF994D7006847B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:41.131{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5D9AC89468A1711410BD4FD704B6CC,SHA256=6A6F612D2C2F3F5593B511B46C2BE0CD7CB39E7A11BF4E80DF4968FB103FE770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029632Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:42.758{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A24CC84337267A834A1FBDA0C947655,SHA256=8E00FC276C247FD5CDC88C5CB53711F850A90625B4CD3103D0516F4C5BB3E5B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:42.132{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51744F9468531ACF69E7A2F5D293E6F7,SHA256=6D696E3DBA8677EB77763B6EC957F28BC0DF372386F72F2BDDBFA4AACF2AEA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029633Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:43.790{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFAF8AE4590CDA7E245BACE06470CD03,SHA256=645E84FEAC9D041D93E91FC224623F879B2DD59A60B5DF0C2CCF98622C471DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:43.134{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962F88511FB69EE0898018B02C1D33FB,SHA256=A7C927E88F1685521724AE4990DF8BCC7A7B32C99686094F6C8BA6C943489331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029634Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:44.852{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4373F3D8502BC0FC3D6E8F5F74ECA689,SHA256=F3BAE296B1DADBB18A83339CEC230507F7D9ABFF2A62A6F058F378963D787A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:44.155{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4917F9CC44108FD858BA3553F418154,SHA256=1CD1584C4CF48E514C3CEF56B67BE1C4FB216673B794F5FF23DEE07B6426B387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029635Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:45.946{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E9FD5597D90DDD779763005A012E4F,SHA256=C2B601B923BCEE06A9322F52C36473A75544B22042869CDC89E7442F92CBB661,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:44.119{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:45.173{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C5045CD81A63C78DC461A63A13B00E1,SHA256=8F3756B142BCDB0F9C99BAD83C15A36510B8A09B8CD1A4BF46512EFA68DAA1F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029636Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:43.967{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:46.179{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D96C8DDCC8803EE331745549160F39E,SHA256=8C5FBF28C55D63C68BD82BA7C650323CF74B1225D04BDC707E208D6FFEBD29D0,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029638Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:49:47.649{53AF6CEB-39BF-60F5-1200-00000000E601}972C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d77c8b-0xcadcf40b) 23542300x800000000000000029637Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:47.149{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791A026CEE55DD4679A13269EEA4B3CD,SHA256=27A04561E65D852257542EF002B4EE38D4B1FA69F3130CD7DD0CDEAFA8800DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:47.179{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBABF2828C0935FFCF4B420E334B2B0D,SHA256=E00026E197906B5B7B3AF5C8B618424BD70C0817FED8D2262EAC0D65976C1FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029639Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:48.368{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4975F91A79097FA810E901A3F1C3384,SHA256=D54A8B4D150756431A595697789EED51953BDE0FB22D6CE8B8C1D425399A0079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:48.180{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10E750A411C55D773269BF2169069B4,SHA256=0401852C6A0368E65F1DFD062BCE2B4A3C3058A089869BD84D130FEBE8B8BA75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029642Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:49.508{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B82615AA4081487849575A73013D32C,SHA256=83F7FAF4B8BBABCAEB81A5975106A9B4E9B634E058B5894B9230A6E35451C18E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:47.565{43EB4363-37A7-60F5-1200-00000000E501}356C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-876.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x800000000000000067072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:49.182{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578AF028E9D072D528F364046D8CB63F,SHA256=D2E9A7A45AAEC74F76DE9F9251B2932D6AEFF1BEC58283A0FAD7A755D362B1FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029641Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:47.513{53AF6CEB-39BF-60F5-1200-00000000E601}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-286.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x800000000000000029640Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:47.513{53AF6CEB-39BF-60F5-1200-00000000E601}972C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-286.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 23542300x800000000000000029643Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:50.571{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98B32D075AB2295B1D52F604D474540,SHA256=8C048548C6B051CDF37D5DB9F80C4DCB2CF6154C31E972D69B0AD9F9696FAC8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:50.423{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-58CE-60F5-DD0C-00000000E501}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:50.423{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:50.423{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:50.423{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:50.423{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:50.423{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-58CE-60F5-DD0C-00000000E501}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:50.423{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-58CE-60F5-DD0C-00000000E501}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:50.424{43EB4363-58CE-60F5-DD0C-00000000E501}5076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:50.183{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F89374C33DDE8C4D27DC6E87C9DD2942,SHA256=3BED5B3E2204F9BDB373121423990B23826DE85397A2E1AFAE8274F57F6FBD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029645Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:51.805{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=972E88D175501BC53EFBD548D9A31424,SHA256=FF517C02BE0220329E135EAEF0D5DC921F8832D6CAFF548A209257F149A168AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.985{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-58CF-60F5-DF0C-00000000E501}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.985{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.985{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.985{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.985{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.985{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-58CF-60F5-DF0C-00000000E501}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.985{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-58CF-60F5-DF0C-00000000E501}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.986{43EB4363-58CF-60F5-DF0C-00000000E501}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000067095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.545{43EB4363-58CF-60F5-DE0C-00000000E501}72086540C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000067094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:50.086{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.485{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFAA92528829BCA5661669E070FF6A62,SHA256=9F204BEC37EE55E9D6CCE1F10F100E7107B81ED8EDB2686A7D2B7677381CD623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.485{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29BAD9AB1BEEE446441136CCB0E9A2D3,SHA256=0D44DF519853BF3C1F7DBC38E35E2840EA5B2C8291A4B95481EC5EAE34B04DB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.324{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-58CF-60F5-DE0C-00000000E501}7208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.324{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.324{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.324{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.324{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.324{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-58CF-60F5-DE0C-00000000E501}7208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.324{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-58CF-60F5-DE0C-00000000E501}7208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.325{43EB4363-58CF-60F5-DE0C-00000000E501}7208C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:51.184{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D9CDBE8F33CD3C5C80F4A006DD91E3,SHA256=4109CB5B2E481B9B98D5FC2ACF8EC83D019050D5AD21CC8C29EA41181EF1D7C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029644Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:49.076{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51309-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029646Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:52.852{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E1A2A2B3EE3217AB9933A2AEF37472,SHA256=10027110FC11A78B1F88007E57B16F95EFC284184254B55C47E8376910AA8DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:52.196{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A461293BF1ABA896771FBB7AEA192DE,SHA256=D54A5BA84F9A257CF6B09201AB3738D0D6F798BD42B9085625B4A92B9650B16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029647Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:53.868{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4787B98930EED3A1DF17DDFD270BB7B6,SHA256=68B3ABF1B619FDE14A7C6531E2EAA03D83105FF3BF9F043475E3E16BDD28B735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:53.197{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F6D233D36E25C2DA6BDBF0160CA77B9,SHA256=90F48A117A3AD9C3CA7B3B756E3031C1A8D3174F51335D5B1AC8E414A8BC81A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:53.017{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFAA92528829BCA5661669E070FF6A62,SHA256=9F204BEC37EE55E9D6CCE1F10F100E7107B81ED8EDB2686A7D2B7677381CD623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029648Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:54.899{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7003E63472FE2696C8FA46949DB18E9D,SHA256=BFFA33E27E044122EE189890AE5ECB44ECABA16E24D4251D6C91690EAD13AF5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.903{43EB4363-58D2-60F5-E10C-00000000E501}80448028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.689{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F70B01BF51DE4E1C75C7A2A3C4F45F39,SHA256=172C4583603DE93E569E03CB6C2919446C5F7C524E0D3301B4B57E10485D2798,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.689{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-58D2-60F5-E10C-00000000E501}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.689{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-58D2-60F5-E10C-00000000E501}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.689{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.689{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.689{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.689{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.689{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-58D2-60F5-E10C-00000000E501}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.690{43EB4363-58D2-60F5-E10C-00000000E501}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000067116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.230{43EB4363-58D2-60F5-E00C-00000000E501}71606604C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.202{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA1906FA0F5F5C8E870C671DBDE3AEF,SHA256=2F951AB913AA52FDB8E6213749E057BE69A897A4901E93146A9BCDCF05C9B4DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.022{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-58D2-60F5-E00C-00000000E501}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.022{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.022{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.022{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.022{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.022{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-58D2-60F5-E00C-00000000E501}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.022{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-58D2-60F5-E00C-00000000E501}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:54.022{43EB4363-58D2-60F5-E00C-00000000E501}7160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000067138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.945{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-58D3-60F5-E20C-00000000E501}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.945{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.945{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.945{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.945{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.945{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-58D3-60F5-E20C-00000000E501}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.945{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-58D3-60F5-E20C-00000000E501}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.946{43EB4363-58D3-60F5-E20C-00000000E501}7992C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.705{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92336416E826E4A93A076E11173B0A23,SHA256=D844042E2A0D6CDD1C75D857628B39E11C70EF3935B6ADF89D971E1766F7E644,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:53.615{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65195-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000067128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:53.615{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65195-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 23542300x800000000000000067127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.224{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A993321559D03374F9CF7277855F1A5,SHA256=DA6945C52E0E8566A3810700F99C76688A042862B2B683E4AE460B35F8FEE61E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029662Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.883{53AF6CEB-58D3-60F5-2506-00000000E601}36243260C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029661Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-58D3-60F5-2506-00000000E601}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029660Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029659Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029658Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029657Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029656Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029655Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029654Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029653Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029652Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029651Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-58D3-60F5-2506-00000000E601}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029650Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-58D3-60F5-2506-00000000E601}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029649Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:55.571{53AF6CEB-58D3-60F5-2506-00000000E601}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.977{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90D10953DEEA7319E5B4A7136B691A1B,SHA256=C95BD29808FCEB1A8BD189322FA550451859F11CF4149E5A0A0996795A7B274D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.796{43EB4363-58D4-60F5-E30C-00000000E501}74047884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.606{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-58D4-60F5-E30C-00000000E501}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.606{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.606{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.606{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.606{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.606{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-58D4-60F5-E30C-00000000E501}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.606{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-58D4-60F5-E30C-00000000E501}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.607{43EB4363-58D4-60F5-E30C-00000000E501}7404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000067140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:55.107{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65196-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:56.235{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD5B514E4A41548CEA9A3C769F618004,SHA256=3824C0CF7EF51FDAF4569C19B16A004AE8197FB540DCA8636891FF8D88117306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029692Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.602{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43C0FA23A0F72B91C1441A7E03028608,SHA256=587747748B0D69DA3725D34246DDE3F456B9E8D219826CEFFF6D36F21F5857EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029691Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.602{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E95156337988805842E5E1B818B12E84,SHA256=9979AB44A6B4CADD82A8151AFE166FA67ABA8FF36B392F20EE39BC7E145FC678,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029690Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-58D4-60F5-2706-00000000E601}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029689Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029688Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029687Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029686Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029685Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029684Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029683Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029682Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029681Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029680Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-58D4-60F5-2706-00000000E601}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029679Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.571{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-58D4-60F5-2706-00000000E601}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029678Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.572{53AF6CEB-58D4-60F5-2706-00000000E601}3192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029677Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:54.998{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029676Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-58D4-60F5-2606-00000000E601}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029675Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029674Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029673Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029672Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029671Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029670Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029669Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029668Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029667Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029666Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-58D4-60F5-2606-00000000E601}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029665Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.071{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-58D4-60F5-2606-00000000E601}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029664Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.072{53AF6CEB-58D4-60F5-2606-00000000E601}3640C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029663Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:56.008{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42102EA1397C56DBC0E58AE63EDE0884,SHA256=D38C74B5D974F9B902E9FD6C25E8E2A9D94C0DD168388DD7F90413B8353C3BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:57.237{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC17A0F91A77F9C9BA2A6E54AFE8DFD7,SHA256=086F74F9267554C617EEC26785E8F872A22980008BBCF1B37D158C7B2DE4BC5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029706Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-58D5-60F5-2806-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029705Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029704Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029703Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029702Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029701Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029700Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029699Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029698Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029697Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029696Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-58D5-60F5-2806-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029695Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-58D5-60F5-2806-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029694Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.821{53AF6CEB-58D5-60F5-2806-00000000E601}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029693Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:57.071{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE153569D559392794698D647C60A9F2,SHA256=A0BADE98CF5CA77B696799694CDBAA66DC4D0317111BE073ADA9B7EE416A0BB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029722Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-58D6-60F5-2906-00000000E601}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029721Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029720Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029719Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029718Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029717Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029716Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029715Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029714Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029713Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029712Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-58D6-60F5-2906-00000000E601}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029711Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.946{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-58D6-60F5-2906-00000000E601}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029710Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.947{53AF6CEB-58D6-60F5-2906-00000000E601}4032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029709Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.852{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43C0FA23A0F72B91C1441A7E03028608,SHA256=587747748B0D69DA3725D34246DDE3F456B9E8D219826CEFFF6D36F21F5857EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029708Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.149{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6B6A21C70A8CF1EEECAC0914682138A,SHA256=7818C97C2193F151C66554BCE5E8C63CB41F481264E04D2C4852C7AEC97C4951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:58.238{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F82014C50F94D793AE4760D93BA1462,SHA256=CBB9920A500BC314B3819938EF67D592772D579B08DFC653D38C451909B259B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029707Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:58.071{53AF6CEB-58D5-60F5-2806-00000000E601}28883796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029739Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.977{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A866685DDF86E284CCC3E14F3563CB9F,SHA256=E4FCA5939AE8FBCDCAAD4837008F080236521DFEE133E544AD1DCEBA73975EC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029738Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.618{53AF6CEB-58D7-60F5-2A06-00000000E601}39283592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029737Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-58D7-60F5-2A06-00000000E601}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029736Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029735Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029734Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029733Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029732Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029731Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029730Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029729Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029728Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029727Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-58D7-60F5-2A06-00000000E601}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029726Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.446{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-58D7-60F5-2A06-00000000E601}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029725Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.447{53AF6CEB-58D7-60F5-2A06-00000000E601}3928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029724Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.383{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89655CE339AFDF00791CDD9DF9297DF,SHA256=05DF808ADA9DD0CCFF3978F9BD9BEDAC78B16E6B9758F92643F315E57A195B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:49:59.259{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=282176B039EE212C45CE056882A6A17D,SHA256=56D8D29C4D0F713AA66058526416F7FCBAEAF9A29D4B535CEDE4A016B7E93F0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029723Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:49:59.180{53AF6CEB-58D6-60F5-2906-00000000E601}40323840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029740Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:00.477{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC82B68B78A0AC71ED1E7CB2A532DC6F,SHA256=8BED0B98819C7452D6F952175E0AACA80E0B459E20F5FC07417713824E82E7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:00.271{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47EE642CD179225671B6052B44742361,SHA256=98BD549EC74EBE34F2D6BC66F548AA3B94982FE6208216309B043D4B6BEA90F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029754Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.493{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A74C0B72D33A9F30575840567A1667E,SHA256=B6DD40B0AD47AAE8FBB5DDA4BC83AB69D98A7EDD55803C82F17586A675085CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:01.282{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F89DA3348D97A2A906D6B7EBDD44F40,SHA256=E62165DAA6F3C7B89D0FD8FDB9A916C55AFD7A6D7C6AE4273438DBD3256D8822,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029753Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-58D9-60F5-2B06-00000000E601}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029752Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029751Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029750Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029749Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029748Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029747Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029746Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029745Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029744Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029743Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-58D9-60F5-2B06-00000000E601}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029742Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-58D9-60F5-2B06-00000000E601}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029741Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:01.368{53AF6CEB-58D9-60F5-2B06-00000000E601}2036C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029757Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:00.967{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029756Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:02.496{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE46746ECA3B4E6C812FA6E7288BE2FE,SHA256=5D86435665198A054F4EFEF65DF8CB6B18C2B1A29A2F46A6420F388E67CAECC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029755Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:02.496{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27AD22A7FADB65951A33EC3894A32683,SHA256=3A710DF565DEC4C7B5301E4A1BF005F4998610CE37459F9098599F18ACC6A964,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:01.105{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:02.283{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D69560399CF3B00812D5A8B8FEC01D5,SHA256=9A3B82E8F14D6E7FE487E50531A97175C87A6AE411843FF0F5EF2509C06285D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029758Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:03.559{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EEE4B4E99E3715CD49AC79499DD22E,SHA256=D8BDA017DC4B9E037914E344830E885FA34FB7F9CD3E040BA7B12FE26BE68D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:03.285{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0863243527AB2087ADF6388A5056CFF,SHA256=0DBBF768591D2F58BDA05C2EF847C498A4AD0C0596F8D71AA18206DFDB0F04A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029759Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:04.730{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E670F94205D12E315DDCB4C55FCFAC2,SHA256=A210C1B502015DF2613882F235242B5A606D1480C6D53A92B3CC0105EE5893EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:04.806{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:04.299{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2B788E1D3E19FEFD53DEED629D7970,SHA256=11A362517AC1771B9750F516D3FC8593E6B06BBBD89A04768EEC1C5AE2E1653B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029760Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:05.730{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14B4FFCFFC00BF930A127470C598176,SHA256=34F25AF091A9DCDF85C3596178B83D5C4C8D36561BC5A6265002FDAEDDA23244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:05.318{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554E96E234ECF33D340E9A66B1B865DF,SHA256=3F3DB9CD6A89323722513221DC55D0F44CE8CC5858B61EC210B88F49C0F5A7DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029761Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:06.777{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A406AF44FA9A3C2EED95E317E8C5C6A8,SHA256=3A35D759C6D5A8D75D81FDD7109FECAC47A769A0E2DF4BFD7DC1350E15E4F097,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:04.729{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000067162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:06.330{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62086C87908F9F032E539C719B2B493C,SHA256=81CC9CA07B73CFC091D364DE55112D347071B6780460EA60D4C177AC2119FD41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029762Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:07.996{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ECFB87B4D742FBBF0B5461844F4FD29,SHA256=F7C1F79C2C5DC53A83EB4A4D5A2C7B9EC7BED10EAB21E337985F45EF1DE1BD6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:06.172{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:07.341{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD6D3FC90CB827FCACE76C0DE779388,SHA256=CCD087C0CDE7D952E461F5B9D1571925119F4005CADB63BD38CC9196148C2941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:08.343{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0327EBAE532D9A65221733973854F1,SHA256=21D189F74DE6B79F624AF8F05338D250951AD9AE38697338638FBF7647FB0147,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029763Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:06.924{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51312-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:09.344{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4066365C678D2381A5DA686838504AB,SHA256=EA29B561EDA77F67E907077FAA88AFC3BE95A3C0D971ABD2D9518AD4EFDA6BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029764Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:09.137{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C61ADDB35C349247D27D350390BB94E,SHA256=779A5F8F7A3D7C32A98359F457BB1AFE4EE647E4258CC79406E1B57C7EDB0D31,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:09.458{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local50659- 23542300x800000000000000067186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.596{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.556{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\extensions.jsonMD5=0308531CA41065F01D1BF4CDA33BA1CB,SHA256=74F5853EFBC2B741536BD368F49D9ACF07EE3C7D9ACD01AA42783E7C5EA0C15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.456{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpaddon-b2d773MD5=D6FF50CC9E4446FE91BD4AF939BF9BF1,SHA256=B594F1712C19C8C9B2365AC4210D3A0AA022837CDD69AFD67D41AF927EE7C7A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.446{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\aborted-session-pingMD5=8CB2984A8569B484833883FB5FB47402,SHA256=805D507762924392F1FC6459BA4B467A300390BF34943C08CF17E1CBCEE4E27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.436{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\session-state.jsonMD5=ECF5302EC978B501A6AC404F2E74F8C9,SHA256=C3BD363460805F6F0098FF8B4F633F099406670D73F28FE4E9E14EAAFC9ABA57,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.436{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-AB08-00000000E501}6836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+122d767|C:\Program Files\Mozilla Firefox\xul.dll+135af89|C:\Program Files\Mozilla Firefox\xul.dll+1156c82|C:\Program Files\Mozilla Firefox\xul.dll+da3f1a|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41333|C:\Program Files\Mozilla Firefox\xul.dll+122af80|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.416{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+1c3f5e4|C:\Program Files\Mozilla Firefox\xul.dll+155772|C:\Program Files\Mozilla Firefox\xul.dll+101613|C:\Program Files\Mozilla Firefox\xul.dll+176a52|UNKNOWN(000002A380B03DFF) 10341000x800000000000000067179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.416{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F5-60F5-AC08-00000000E501}1144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+1c3f5e4|C:\Program Files\Mozilla Firefox\xul.dll+155772|C:\Program Files\Mozilla Firefox\xul.dll+101613|C:\Program Files\Mozilla Firefox\xul.dll+176a52|UNKNOWN(000002A380B03DFF) 10341000x800000000000000067178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.416{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-AB08-00000000E501}6836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+1c3f5e4|C:\Program Files\Mozilla Firefox\xul.dll+155772|C:\Program Files\Mozilla Firefox\xul.dll+101613|C:\Program Files\Mozilla Firefox\xul.dll+176a52|UNKNOWN(000002A380B03DFF) 10341000x800000000000000067177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.416{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-AA08-00000000E501}5952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+1c3f5e4|C:\Program Files\Mozilla Firefox\xul.dll+155772|C:\Program Files\Mozilla Firefox\xul.dll+101613|C:\Program Files\Mozilla Firefox\xul.dll+176a52|UNKNOWN(000002A380B03DFF) 10341000x800000000000000067176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.416{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-A908-00000000E501}5940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+1c3f5e4|C:\Program Files\Mozilla Firefox\xul.dll+155772|C:\Program Files\Mozilla Firefox\xul.dll+101613|C:\Program Files\Mozilla Firefox\xul.dll+176a52|UNKNOWN(000002A380B03DFF) 10341000x800000000000000067175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.416{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-5725-60F5-0209-00000000E501}8012C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.416{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F5-60F5-AC08-00000000E501}1144C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.416{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-AB08-00000000E501}6836C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.416{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-AA08-00000000E501}5952C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.416{43EB4363-55F0-60F5-A708-00000000E501}63406328C:\Program Files\Mozilla Firefox\firefox.exe{43EB4363-55F4-60F5-A908-00000000E501}5940C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+12b5348|C:\Program Files\Mozilla Firefox\xul.dll+29f8902|C:\Program Files\Mozilla Firefox\xul.dll+473c9b|C:\Program Files\Mozilla Firefox\xul.dll+d4d351|C:\Program Files\Mozilla Firefox\xul.dll+da05d3|C:\Program Files\Mozilla Firefox\xul.dll+41b35|C:\Program Files\Mozilla Firefox\xul.dll+122aede|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+3c0f18|C:\Program Files\Mozilla Firefox\xul.dll+3bfb5f|C:\Program Files\Mozilla Firefox\xul.dll+39d6aba|C:\Program Files\Mozilla Firefox\xul.dll+3a73bd7|C:\Program Files\Mozilla Firefox\xul.dll+3a75159|C:\Program Files\Mozilla Firefox\xul.dll+3f13|C:\Program Files\Mozilla Firefox\firefox.exe+1594|C:\Program Files\Mozilla Firefox\firefox.exe+4c518|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.376{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EBB39B5F06971DAE8ADB4D3CC089DC,SHA256=DD22585750F240CA3F9265F9FC08203B097E172270CE3B583EF3F15B6B3B1214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029765Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:10.168{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28A4E50C33028DFE71F2C47776BC8D45,SHA256=C65760F79CFFD0D629ABA628A793AED78FE152164298B4AF39EFEBB8F6CD27FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.075{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\ADMINI~1\AppData\Local\Temp\tmpaddon-b2d773MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.025{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029766Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:11.418{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E9D0259DE92C7823A551C521EBDC1E,SHA256=8D7AF7AA7B0DF8EFABA924D7360B8871EA607BC549EC8EF37E2F568AC2686800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:11.927{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\extension-preferences.jsonMD5=109CD065A084945786A8FA018194E5BC,SHA256=B5D3F24397275D44574EEC6772A9010452D075BB770DA9F81993878CD4A07BDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.487{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65204-false52.38.154.201ec2-52-38-154-201.us-west-2.compute.amazonaws.com443https 354300x800000000000000067199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.345{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local58315- 354300x800000000000000067198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:09.996{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65203-false143.204.205.53server-143-204-205-53.fra53.r.cloudfront.net443https 354300x800000000000000067197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:09.966{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65202-false35.244.181.201201.181.244.35.bc.googleusercontent.com443https 354300x800000000000000067196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:09.964{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local51341- 354300x800000000000000067195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:09.937{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57642- 354300x800000000000000067194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:09.909{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local57642- 354300x800000000000000067193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:09.759{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65201-false93.184.220.29-80http 354300x800000000000000067192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:09.610{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65200-false35.82.131.108ec2-35-82-131-108.us-west-2.compute.amazonaws.com443https 22542200x800000000000000067191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.349{43EB4363-55F0-60F5-A708-00000000E501}6340pipeline-incoming-prod-elb-149169523.us-west-2.elb.amazonaws.com044.239.125.99;52.27.200.224;52.13.236.190;52.89.131.207;44.237.104.177;52.40.184.35;52.34.83.111;52.38.154.201;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000067190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:10.002{43EB4363-55F0-60F5-A708-00000000E501}6340d34chcsvb7ug62.cloudfront.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x800000000000000067189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:09.996{43EB4363-55F0-60F5-A708-00000000E501}6340d34chcsvb7ug62.cloudfront.net0143.204.205.73;143.204.205.106;143.204.205.52;143.204.205.53;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x800000000000000067188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:11.377{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB1589C0ADC0C22E11E866A179F993EA,SHA256=BBD836B2A0DB1BAC4D81029AE811ABEA0258DC9C29623E86599BA10A94C434C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029767Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:12.637{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8494793325DD6DFC9F34829E8346743,SHA256=7BF561F7B30120A4AE9D09C321AD62D553318856A937F87C273658B12C56DFD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:11.560{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local64649- 23542300x800000000000000067202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:12.398{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFF2DC57FF4D1378148203C1DD2BEBF,SHA256=510E6DB2EB22A9D4A6831DD86A2C7E0FF9A1CD22FEA46E7CCE36FF343E8515D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029768Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:13.762{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6234A634D5FA125186B8335B4411B690,SHA256=DBC020DB973D6C61C08F5D6C2471938121C0AD5F55980AE41E23EC9DAE3030C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:11.560{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local52963- 23542300x800000000000000067204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:13.399{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25F7C1FA8BE14701C32D42BFB22BFE4,SHA256=854472242E26E8E4002662F7A40A808CB6D4089B72208E61C6FE1F97BAF50A56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029770Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:14.996{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E18BE72DFCE8DDB8DEFE17D728100CB,SHA256=D852A135B1D0292CA1F57797BA87CAD5A00FEC08E2EA23FDC3E5DEDF78AAD42D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:11.970{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:14.414{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02529118C3FDFB7448CC7CA75BEA2DCF,SHA256=D9637542CE99F0E783692FE41B87CE38841081606CC3F87D5338F5E6D8F85673,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029769Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:12.033{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51313-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000067210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:15.822{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:15.822{43EB4363-37A7-60F5-0D00-00000000E501}8847488C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:15.472{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DB0EC79E6C907D5373D32EE9E81062,SHA256=932A5747DFBEAF07521674F5760B2BFBC0ED4F2EE1162753A59C10C2B685A825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029771Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:16.199{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E081AF24CDC147AD947956A002F4A2C3,SHA256=DC8185570DF35C5B85FEB2C9F5F2BD761F8CC7B27E6F4B5E71BBACB256E7506E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:16.474{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF840FADC664BDC4A7667B1E4E40A39,SHA256=9C6583D46003ADA1241B7FE7E735DF594CEEDD3D9D3CDEAC6F44D5D946EED74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:17.486{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A13D23D4BD8C2F8F7E64F886956023,SHA256=352406F81588390CFD28EB9959F2C73F082E52F7D85D865696F704710CCF203E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029772Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:17.199{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84346D86F74887B3D3B33A4F7C0F463,SHA256=B45EE88F482C1A4A851F28D9666BB2A9A76924308321AF7D02DABB047177C810,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:17.008{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:18.490{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3534900B3E45EFA14E557966C3C9EC6,SHA256=14B471644C06C54BA832894A31D73B20AA4F7129DDEC2E764A113CCECA5D7C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029773Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:18.215{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F20E1A0E456BF627FD525365FF7DED22,SHA256=61756E03B743F26ECBEB0C8693DEED4EBCAFEE03B86E7E917AE98653A63E5164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:19.501{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E700B1BE91B7BA9F5329E15A165836EC,SHA256=BC70A3C66499A80D71670FFC7006C7A2318E06AD0979C1EAD6FF0594BCE6495E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029775Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:17.986{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029774Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:19.230{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=845906D656FA3B026EADD7B4812DC5CD,SHA256=AF6A80914BA5EF6024184383AB8445829974B3CBED803A3098E7DBF4386A9D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:20.504{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AABD945171B341E0F8083C5A70640389,SHA256=92F502CD084E1276B0480F976B3DC9FBF2C6F722732ED1FDFB5C7E2F09CF085B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029777Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:20.996{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1AACD9E80E770A6C4739297E248A9821,SHA256=ADB200C3C9CB7AD7DB5C33D81E4152212FC42E465EC6D0B780588D774DC28BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029776Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:20.231{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9016F0BB7BAB9F265A64793E14BFE36,SHA256=AE91EF8953CD01A834E557D1CA6A593FD8CE488A4822B39120BE49DB658448E6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000029789Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:50:21.668{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000029788Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:50:21.668{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0079e051) 13241300x800000000000000029787Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:50:21.668{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c83-0x7d2a4ca1) 13241300x800000000000000029786Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:50:21.668{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8b-0xdeeeb4a1) 13241300x800000000000000029785Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:50:21.668{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c94-0x40b31ca1) 13241300x800000000000000029784Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:50:21.668{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000029783Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:50:21.668{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0079e051) 13241300x800000000000000029782Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:50:21.668{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c83-0x7d2a4ca1) 13241300x800000000000000029781Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:50:21.668{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8b-0xdeeeb4a1) 13241300x800000000000000029780Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:50:21.668{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c94-0x40b31ca1) 23542300x800000000000000029779Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:21.480{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029778Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:21.262{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEDC1FDBB840F359B0DB5D1413B39BB6,SHA256=8EAFF0784F5E3DC814D2938943C00FFD982BB1E8DD9BFC54474B6E34EE2FBB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:21.510{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=116DE19C128FC457EA9BA43C9D8724ED,SHA256=EFD5B02C3D7AFED6952C25DBCC1011F7C5FB752F7728191FD1FAE4FBC559F5DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029790Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:22.496{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A567CB6DBDFC88BE2D62309AE7F5065,SHA256=BC5C62C4CB8F3246795D9455688831872C8A8B2C0E20666F90E1E104F21CA23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:22.856{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E1E2DA74AAF8C393D67661A9F46BC2E9,SHA256=91AF7A5D350AD51D3C0321C4DCD750F9095CDAF4B574CE62C98D9D004997AFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:22.856{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B189A38AE5181868F01B7C203138F4D9,SHA256=C91C6227744229427794C2D3367F8D3B7CD8A45D3337A0527EB5D90E7844F3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:22.515{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC6681615F5C5135507358456464850F,SHA256=3872FB671BEB4E5385375FE7C0656D93785DFC13551FCCF331B56D25C465C758,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029792Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:23.511{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9124712E898AA08FF4D00C8BBFFF3766,SHA256=88B532867138D66755E49B2132E43E2AB00C54AF81BF6DE8D8DAA98F76BD94FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:23.516{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8789AA930EE50F066AE030C45A591CA7,SHA256=E2225381E3CB1579951924839D14F225AADB2B8601EFEA123D6DD56622F6E1E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029791Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:21.345{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029794Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:24.746{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4618CC2870BBBFB9BA2A76D1C3FC31C,SHA256=21D2D9E8572852890C9F5BB13A0F52B332E72AAEF68C59D03A0C8FFA5C273819,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:22.998{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:24.738{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=39419F1BF90EAA7731688790315B0869,SHA256=E430DF79D56CBAAF5460B053F27919D103A9D39DFB2192FCB6DE68F2C82D9B5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:24.538{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BA1B83BF6F6661143923AE9C3D16469,SHA256=AA4F6CC19EBE85AEA2C01AA66B24E6278BDE2FFA8A59F24DB7DEB74E86DB9A0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029793Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:23.111{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029795Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:25.980{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1B1B79A80EA4B8DA73E0CCA4232E63,SHA256=35949BBC8F22118DDDFCF50B7FAE5E33D84AA90F792BBEB0B2730383B0C8B4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:25.549{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DB56B27144C9E08DA17AC6CBC6E498,SHA256=91DF3504B71B7CE35BF020B436B6800588367920192D9B573C1F89CC406DECF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:26.551{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C24E09A7FB811A20C8CD7FB81615C0,SHA256=BE2E63CC1881770F32ED85377D5A915D92A07CEEB0DB5BC5255711A57DB12643,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:27.793{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000067229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:27.793{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:27.793{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF822a05.TMPMD5=94EEA79D9A0975F30553974C8581CE7A,SHA256=AFE916DCF97485612B2C6F9FD400B0B135E5F27E2BC7595DBB1C6A60195E967C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:27.562{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA953CDA667DCE0A5B7D4AEFAC4722A0,SHA256=10E1F21A1590FAEB74694098EB3326CCD2CC59E342530EBFAB9633E2003A8D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029796Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:27.137{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4508F8492BC498B00341AC458FC2114A,SHA256=25B38CEE077210C9AB70B6A758DBBDD89551850F3F9EA07F1EBB651030C677E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:28.564{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDE19FF6B285A7E2B6A92E14AACD604,SHA256=18CA42A33D0B3A4BC7B094E5A29861BAA5DE52CA0184F9AB1728A4AE57CF7F7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029797Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:28.308{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F9C3FB4B95B526A5C4DA527E5EF1B8F,SHA256=C40F18FDE8DF4C070E75E98B2DD6C0FF6D71CB22FB0A112571F5FA3C2A1EABF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:28.036{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:29.576{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C13C727CAC4F792AB443396C996BFEB,SHA256=8CA008C95EDFA99DA701AD37018F8CE82445744E3DA12B03C6E9036487D836F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029798Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:29.324{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6448E63ADE1757C0F933792471C94F57,SHA256=621775EFB8FFBB40E1447B2CF87AF998700F7EC4FF4763A5B388EFD464F971DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:30.578{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80538F0B42F8007840BF0DD86ACFC056,SHA256=044F5BBF4B489279E62767524E87BF66E35E753A332A320F9BC7A421ED49987D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029800Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:29.016{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029799Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:30.324{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C364308ED91931FA45FB5CDE278AB3B,SHA256=60A3F32B1B785D4A0C07C53CCC837F9D89B7AB4CE1C3D8A730AB229A96575D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:31.589{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C2EECBCD90750CBA44280367CD2325,SHA256=56667EA6E102DF858F4D7993BD8085BBBCF509DEF2D1D207AD06586E8E24C1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029801Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:31.339{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C572BE02690C0C9968A900E7134AEAE4,SHA256=CBEA454275BDF1ED4B51180DAB5A3F69BE80B731E61A7A60CF03220EF6FF9D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:32.591{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0012FD4A0070FA88D833D596FD74A0,SHA256=345637BA9983B289288E8536753520B6FA8ED4B80BC6F210AF8C0C7B3C32D02C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029802Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:32.339{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0FD6C81DDF33BB1D96B03568157B0D,SHA256=8BC6A3D042ABE4B5E2F724B34412D5DD396F2D5E6C4FDBA1055FC062354A8EE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029803Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:33.355{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3249266AAD1DDA3992E1B03C090F48,SHA256=8C42102F29899557AF0FC408E91F62535A4104C1A64C73B304DC319D016A4D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:33.592{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=940657565C295092382F9B8ABA983D48,SHA256=4642F00C867305064D777FEC13DC335FA7FCAE8E411410A0522961F9A6518E18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:34.594{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A2CB56B4F949B558E6CDD029A44EA1,SHA256=E23C50723DD698DE0960BD7775FBC63AA25995041ABA603B280DE22C82DA7DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029804Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:34.356{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC979D23A941863EBE48C0A2E988E1C3,SHA256=2CD725AB5171566E67CE0E142ACA41FD9794F7547EEC5762DD7CAF97D86E0BB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:34.016{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65209-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:35.606{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A662E626ED7B3F755A91415114C7BEFB,SHA256=5910CE44610C18A4F0E030E42C0B65FD074C3997CFFD1977248754BF41639746,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029806Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:34.096{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029805Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:35.374{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699AEE2DC9C112CAE765F9FD1C495993,SHA256=3ED147EA95AA2869D1E1BA57DFBEDE9341EC233F13853025BDB64C14A51BA3A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:36.608{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F66831448355B103BBDD7B87FB29F2,SHA256=90E27F9EB6C556D9A8859CF3879F36861C0CB4A0BA12401E28BCD834B4191FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029807Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:36.423{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37BE345851E1B2FA50095C0D2A18082,SHA256=8C419B9E5540274647E43F750C054D17A15BF89539B4E5E265A4C1788A7113FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029808Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:37.658{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CD56E5C2A438F39240AC5590CEAB78,SHA256=34BDD4488449B6F9D083333A7073430AD916AE950C533FFBCE2E417752F3BBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:37.609{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7023AA56655C28CA12E706DD8768F3F8,SHA256=FD139A6E8C73E36D1D106B2C45C8C4A032AB438D9515176146C656D2EE380CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029809Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:38.876{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=651F884AA19BC2D802AF944EE9D39867,SHA256=8498A22CD6D132350284EE72CA5ED2DADA5D8F1B208E04567F6B9872F2C980DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:38.630{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0859C8D549DC87AD1C28B227232CF416,SHA256=865E06462378C0FB2D45DB4A6F86B78C0E253A317D406B0952E7CA310284C74B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:39.632{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF57EBB460B43BBE456E5044812B91C,SHA256=DDAED6951B236F0892994CEA6F6A32024326A60E7B467E12143CE3A780DEB82E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:40.644{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C0875A70E5E6F97B224C91B243DB3E5,SHA256=31644E1C433C782FF9ED93E61523FF6EAB0F16A0302846A628A80D487D084DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029810Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:40.111{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBF7D45A02F255383CE3D5FEC077BA5,SHA256=65DBFE34F42952F59BDAC356775597AD5FA1DD82FCD6D66A542B73B3DC6F8F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:41.658{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23943EB1D6891DCD6D06A51108947FF3,SHA256=B82CD7FFB8F85284AD7A530E5FF4358DA2A77107EF23CEFD768C5F38A895542F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029812Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:40.054{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029811Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:41.142{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE7702D2C99A19283415535281DE63CC,SHA256=CF5A6B333CAB6E60C24B7852483D0DD3F2E20610468B4BD062657BAF598AC265,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:42.667{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1231FA96B2DA69307384AD8B249B17C1,SHA256=C271C3F76FACF1D14EC739A9AD9311686723A728B508B876E0402145AE96F824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029813Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:42.376{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3366E8E768730B623BBE1D7A61214B,SHA256=4B21F625F766604BD535EE6D1D015B586D6E736042EFBFE6135A3E277B85BB78,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:40.035{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:43.688{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB5A95D380C1CB911FD7BB12A3C5A3C,SHA256=BBCB50E967C584225D19C793805A4885242B0FDF8DAF54D2003A83D03D592633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029814Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:43.461{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3ABECA7F0030EBAD87A63DC868A4C4,SHA256=4829066D41ADBC82E32C290672160A616BD5AEC9ECAD94AEE82C1DF28F42C801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:44.690{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A419E7F269496F38066D4354BD03F913,SHA256=76746D3963055F147EF8B272BAC73295020B0B5FAA078CE5D22E37CA78E4E88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029815Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:44.461{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C35281D57E97C3B0700B3B27D3D5DBFD,SHA256=D40F99E79D756FBA59D6BCB27705C1023E90EFD85B9E985F64FDF5B5536F4E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:45.691{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B9C22C7B5ED87635DA3E8BEF4A15B39,SHA256=4A64FC6478CD38CF892A41988EFF0395F2E2569657D454746609A4C27E3F1FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029816Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:45.493{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F536BA0E0973FE28E0B311EA154290B9,SHA256=3B3CF943CCF1D746B143F67686017986DEF26DB543107056D5A73C58E462D40C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:45.191{43EB4363-37A7-60F5-0D00-00000000E501}8841952C:\Windows\system32\svchost.exe{43EB4363-37A6-60F5-0C00-00000000E501}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000029817Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:46.727{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD902CDD9D188C4CC324B5C8455C4CB,SHA256=1DFD13827ADCF1475B681DD74917539239EE17AEACE9C5F53B16FC1E8222F2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:46.693{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC56342DBF705CB79A07F264930CF88E,SHA256=FFF2621F6AC815AA937FF231849DF2FCCD5446EFA9C076F20C6C5D8DE3264179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029819Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:47.946{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A4B6430043458BFE5A3D15727F53F4,SHA256=8742CEC01EBAEB135836FA94467CEE6FA514A82E8F52725F56B70A3D9CEC6C23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:47.869{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6C3E94CC32DA04D49FAF387E9F69ACAF,SHA256=21EEEF68215D605F082589895168411B5C42FB5C17C67B825E65660E98B120A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:47.867{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E1E2DA74AAF8C393D67661A9F46BC2E9,SHA256=91AF7A5D350AD51D3C0321C4DCD750F9095CDAF4B574CE62C98D9D004997AFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:47.694{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F06BDE90047BF379A8E29053469436BD,SHA256=2768F9EE7EE1961E0CC1FA804451542CB86DFF7D51B086946E10F3B97EB85560,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029818Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:45.951{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:48.695{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C45DC6AC5BBDDA94E1D8197615D1FE,SHA256=D86F0EB2FB55D89D4155C86B5B7A2F7573C47CB583058D08F9EDA923EFC51E38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:48.535{43EB4363-37A7-60F5-0D00-00000000E501}8841952C:\Windows\system32\svchost.exe{43EB4363-55C4-60F5-7F08-00000000E501}2180C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000067257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:45.995{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:49.706{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19051AB602666DD86A93628490C4FB31,SHA256=132CF38CB0334FDC5964BA26D2CDF57F7A25D49D0118841FE77A05EB9BFECBD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029820Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:49.102{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786E479D5AA41DDBB4A267FAF3099903,SHA256=9B04A537CB833C438DB92D68766B5CD24F9E7FFAAA7D93F13584E836975D3DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029821Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:50.258{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DDF4DE713CD18D5C71B8896C3ACD5DF,SHA256=DF44AA1C87833C626BF1B191D969240C4ED0135296BF4F0B4C6F8D8EBE91F55E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.648{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.438{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-590A-60F5-E40C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.438{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-590A-60F5-E40C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.438{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.438{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.438{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.438{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.438{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-590A-60F5-E40C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:50.439{43EB4363-590A-60F5-E40C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029822Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:51.258{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B539436045A80B4F6B4015D64ED37BB,SHA256=938D0FA9CFF8588DB3AB6908B3850FC95C4C8110169795B4B2FB2EE2CCE90339,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.620{43EB4363-590B-60F5-E50C-00000000E501}77485172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.440{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=520BBD5F08E39933BE34309C95063AF4,SHA256=9C56C2B461DCA09A28E078B78D98E2500CED9658C8AC3AD07FB4482EDE7E1F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.440{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=112B999953A67A8247A114EF0CE7E29E,SHA256=33D3787B9ADA3E105363CFB15A70E94D2CB77C442D42DDFA5D089542B2E0AAAC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.330{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-590B-60F5-E50C-00000000E501}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.330{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.330{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.330{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.330{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.330{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-590B-60F5-E50C-00000000E501}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.330{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-590B-60F5-E50C-00000000E501}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.331{43EB4363-590B-60F5-E50C-00000000E501}7748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.120{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6A481C5F6A5C50813A6A01530D64E0,SHA256=BAB55D15932D45F023ABB81AA9FAB3155DFEBDB306C6A0EFE302785837283353,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029824Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:51.138{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029823Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:52.290{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D7CED8587E9BA946272F1EFFF6F440,SHA256=85572308E9AF4B859B4F29B73955DAEB477BD3B7546839A4851628F8E44F12C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:52.131{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811CC7545F0B2119153CB0F0F8EAE6CE,SHA256=1E26D72C4CF48574850EA7D0232AE578F7EFF036D5B5B92055330F1584DA26F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:52.001{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-590C-60F5-E60C-00000000E501}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:52.001{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:52.001{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:52.001{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:52.001{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:52.001{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-590C-60F5-E60C-00000000E501}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:52.001{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-590C-60F5-E60C-00000000E501}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:52.002{43EB4363-590C-60F5-E60C-00000000E501}5132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029825Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:53.508{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50F7B422B8663AE7C553F5B9809CC26A,SHA256=86FBB34C5E35396FE30E3700AFCC9664FC8E4D7C90909F7C7585F4DC2FA80FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:53.153{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA9C48354B7708FD624D8225381DD4B2,SHA256=B1E9891EF4E138E699460963E24CCC25C4EDE25808B48C5D10A84C32BED5109C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:51.002{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:53.006{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=520BBD5F08E39933BE34309C95063AF4,SHA256=9C56C2B461DCA09A28E078B78D98E2500CED9658C8AC3AD07FB4482EDE7E1F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029826Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:54.571{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771754AB21E1BBE31D5311880B49E4D2,SHA256=2051CCFFA00E9205473B3BF26DDCB8AB958901A4C5394505A63E791122C3FFF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.896{43EB4363-590E-60F5-E80C-00000000E501}41604208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.715{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-590E-60F5-E80C-00000000E501}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.715{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.715{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.715{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.715{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.715{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-590E-60F5-E80C-00000000E501}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.715{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-590E-60F5-E80C-00000000E501}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.716{43EB4363-590E-60F5-E80C-00000000E501}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.695{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F2F0FA39313E75A7C9A4FAC0381F56D,SHA256=4BAC4EFDB6EAF673C652C09497499359F5E32D0F233D65D81F828D5385933FF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.255{43EB4363-590E-60F5-E70C-00000000E501}20721260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.180{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D14C9C2E084A9D8A88E3FA0232E1ADD,SHA256=321EEE4E6C117CD3081F23A3D7F2F985A0A367A7F8B06AE93340B3B04F7AD44D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.034{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-590E-60F5-E70C-00000000E501}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.034{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.034{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.034{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.034{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.034{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-590E-60F5-E70C-00000000E501}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.034{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-590E-60F5-E70C-00000000E501}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:54.035{43EB4363-590E-60F5-E70C-00000000E501}2072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029840Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.608{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5FA548693097D4D9FDD178D0131A46,SHA256=54800211E7568E2EFEFF64D57A65165EDCED092B7F057B7D47BF6C21FC980142,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:55.887{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-590F-60F5-E90C-00000000E501}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:55.887{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:55.887{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:55.886{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:55.886{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:55.886{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-590F-60F5-E90C-00000000E501}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:55.885{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-590F-60F5-E90C-00000000E501}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:55.884{43EB4363-590F-60F5-E90C-00000000E501}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:55.880{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B0E363C88B5B65C01153BD86633BC44,SHA256=D0DE67E040A4AB02D384A2CB91B056E25EC21D8D6B8E155A9204A25B876FCD3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:55.186{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDC5A00742E30B5B130560C2E161F82,SHA256=02258ABBB1BBE34A825AC6188E7D8F168404FA0FF37A6C6665E8530C251F3682,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029839Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-590F-60F5-2C06-00000000E601}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029838Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029837Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029836Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029835Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029834Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029833Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029832Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029831Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029830Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029829Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-590F-60F5-2C06-00000000E601}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029828Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.571{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-590F-60F5-2C06-00000000E601}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029827Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:55.572{53AF6CEB-590F-60F5-2C06-00000000E601}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000067341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:53.627{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65213-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000067340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:53.627{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65213-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 10341000x800000000000000029870Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.868{53AF6CEB-5910-60F5-2E06-00000000E601}36442532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029869Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5910-60F5-2E06-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029868Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029867Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029866Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029865Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029864Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029863Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029862Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029861Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029860Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029859Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5910-60F5-2E06-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029858Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.711{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5910-60F5-2E06-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029857Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.713{53AF6CEB-5910-60F5-2E06-00000000E601}3644C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029856Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.618{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=301F2C2864AA76AE6BC2D4E6EF2637E7,SHA256=F6B4E0131B598EC695C70D2961BE7DD553DFDDD5B730056C12500354C1F6D001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.929{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BC90E611659A8107F1C013319D2793D,SHA256=05D1333D0AA097137FA2164246D0574B258CA331EC852ABE17BB0E7B64B58070,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.658{43EB4363-5910-60F5-EA0C-00000000E501}1004948C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.438{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5910-60F5-EA0C-00000000E501}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.438{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.438{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.438{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.438{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.438{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5910-60F5-EA0C-00000000E501}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.438{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5910-60F5-EA0C-00000000E501}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.440{43EB4363-5910-60F5-EA0C-00000000E501}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:56.188{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F208AEE02964F233E72DA84E8868C39A,SHA256=7A5A05FB27B6FA7349D6A307C053D33094AE211302D29B76E7DB1FA27C884D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029855Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.602{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0490C077286BB532EC21B432BAD28A4E,SHA256=BE4E1B9289CFA15B4CCB6090BFCF3BA106DD151D1F6A996C7E7F6FB3B46390AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029854Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.602{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=387C4DC93B0B5BCB0F6627F338893F09,SHA256=572A44117E212FC7DACDC066DFAD3B0BA91ED423565BD9C9108F505EE4B32BC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029853Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5910-60F5-2D06-00000000E601}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029852Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029851Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029850Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029849Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029848Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029847Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029846Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029845Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029844Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029843Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5910-60F5-2D06-00000000E601}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029842Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.086{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5910-60F5-2D06-00000000E601}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029841Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:56.087{53AF6CEB-5910-60F5-2D06-00000000E601}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029885Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.868{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDD0919C61805643FAC0D5CEE561F81E,SHA256=A460BA005255A8449BF0E4D533F47E71CCADD24382279B4E5FFBA331FC13D24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:57.189{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FF99D848BDA2987104B2B1D00D0B6D,SHA256=821929CAE7054A76ABBA3E0BA80D5AC9267909C02E4523AACF96F1E9A7967817,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029884Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5911-60F5-2F06-00000000E601}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029883Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029882Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029881Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029880Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029879Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029878Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029877Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029876Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029875Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029874Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5911-60F5-2F06-00000000E601}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029873Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.821{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5911-60F5-2F06-00000000E601}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029872Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.822{53AF6CEB-5911-60F5-2F06-00000000E601}1612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029871Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.727{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0490C077286BB532EC21B432BAD28A4E,SHA256=BE4E1B9289CFA15B4CCB6090BFCF3BA106DD151D1F6A996C7E7F6FB3B46390AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029901Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5912-60F5-3006-00000000E601}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029900Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029899Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029898Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029897Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029896Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029895Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029894Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029893Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029892Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029891Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-5912-60F5-3006-00000000E601}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029890Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.961{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5912-60F5-3006-00000000E601}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029889Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.962{53AF6CEB-5912-60F5-3006-00000000E601}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029888Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.946{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48AA3D8127A401A1BAEA457CEA0BFF85,SHA256=16CE68173557D6870914CC2FEDFA6E175B7497B7A57D43A027F8B7AB46723EF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:57.001{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:58.191{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69433204C6D06584F215000BDE635C46,SHA256=920772F8F386B69BE19A3BCF43D0EF0159A3E372127BCD195208199FFA7117C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029887Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.852{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D8BA1E4E2585D83400F59ACC665F24B,SHA256=0EB4E972E22BC33F4A6FC6CC8D28A58CF2FB33C53F5DB27AE807D5B3525A4172,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029886Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:58.055{53AF6CEB-5911-60F5-2F06-00000000E601}16123248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:50:59.289{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=237B28A28DA7D2B67001FE4375842888,SHA256=111F6376097073DFDD4FCC2A5A9BA7F92F3B46C204DD76D73AFC05A7C24C7F90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029917Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.821{53AF6CEB-5913-60F5-3106-00000000E601}33803348C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029916Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5913-60F5-3106-00000000E601}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029915Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029914Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029913Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029912Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029911Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029910Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029909Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029908Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029907Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029906Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-5913-60F5-3106-00000000E601}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029905Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.633{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5913-60F5-3106-00000000E601}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029904Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.634{53AF6CEB-5913-60F5-3106-00000000E601}3380C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000029903Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:57.091{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51322-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000029902Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:50:59.149{53AF6CEB-5912-60F5-3006-00000000E601}34443268C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:00.304{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7487E3734C4D14B312FFCF904E74BB0,SHA256=8929B75A3E819608D17C8AE076428BCACAF58EE26C9345E3250FA13FFBAB7C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029919Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:00.165{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCC7BDC28476D7A6A4F1FCF710A6F12,SHA256=F63C2E2A120376A6CD3565ED07A3DCB9386C35CC1894070F82EA5904861E0E91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029918Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:00.008{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CEA4486FBC4786AB6D74D96842FF1EE,SHA256=A705B811F6A7846A920B2C518BABC6ACE52498A15C316EA0B6B786FDDABE8E92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:01.315{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1C7245B1AA0DC83CA22A90573129929,SHA256=AD3B1BE43D79F187595B488AD1115D5B779D36250CD92E01F133740B9466F87D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000029933Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5915-60F5-3206-00000000E601}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029932Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029931Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029930Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029929Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029928Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029927Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029926Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029925Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029924Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029923Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5915-60F5-3206-00000000E601}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029922Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.305{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5915-60F5-3206-00000000E601}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029921Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.306{53AF6CEB-5915-60F5-3206-00000000E601}3412C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029920Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:01.196{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FBFD85B8ECEDE7CA38E4FC1A9E7A50,SHA256=A2DCF082A404E4926855F0D078D6EA4A9EDAAAD7B57E0334DC9E481D4C33CBBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:02.327{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED582DC98B07F6F8BA4C0C9CED10EF4,SHA256=CD4CB90C33062A1FAAC33FF38F47AA93981706150F7C8FFEAA5BD2EBBC14FAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029935Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:02.321{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA97F015D2F49A30A330BF458C4FC326,SHA256=AA31FB0A56ED25AB126FF7DFFD40978A4AE7AF6F437A84FBDC6F5B33EE4EF861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029934Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:02.211{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C6E2832D29779E929DE5123AA67219C,SHA256=887CBE86A634B5B1F210778D4E7675C2EA6E096208DEB74101C7A91D433DF867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:03.347{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF697E6D5EB0C2B27ADD5A937BA5BD1,SHA256=824E542C7EB032FEA555B3820721A16B0C818137A54594943A8AA444644E6955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029936Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:03.419{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6296513573A4C63C191C0238B719FE,SHA256=6F4E83CECA9ADF42E7E083D00B977113D88DAC2A0B9D580456066326D0618F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029938Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:04.435{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64ACCDFA8FA96E6A11C58A8BB6785766,SHA256=504909AE0517BB7D804ACE7AE19AD6696D5386DEDB9DCE0C43C57871865FAA3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:04.829{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:03.013{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65215-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:04.349{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1169A540DD37B4DE1203E31BD7E0AC4D,SHA256=9B0E8DD47736A91F58508D3786C72764E9305D5FB6F00F31D8CF94E6BFBB25B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029937Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:03.002{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029939Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:05.669{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EB6C4DA077790051366B67535CBC46,SHA256=778F7ABB185BB127BD18C8C8D1343C78F85F747B4510BD53464D1510A2555F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:05.350{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD67733459FDF27D9C234B00B746904C,SHA256=B51727A5D08415C2E90866106EA57289040436F1AB7582498A0DD160565A1A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029940Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:06.826{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D397FE89C8E299AD79CF524E03B2C040,SHA256=479207DBE8746AADF99330EA7FCA84612B83080BBA5840B2AA604DA0505FEBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:06.352{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7E30628807BD3F7781F4A5ACE2887B1,SHA256=6523363EDB1700A75DD861714047F690F5F22CACC77522A84882A6D27135C725,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:04.742{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000067377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:07.363{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F014084D8AEF917378E126FE003934E2,SHA256=57880BC260C4080DA8709D397961B5FE6DA2266B75BA1AFD2C5CC470699BE644,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:08.375{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC4E3B95D5456B25AB7EA54D33B6BD44,SHA256=099BDD4D8D20F128DA039CCD7DD559031A633877E7AA642F4DB008E0DFD31EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029941Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:08.060{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F277873CFE7ABCB2A135717D663E86F2,SHA256=5003E35836B4030C5D2F60888692D3A0FC0105042AFF4347C274980240C5FBC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:09.377{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B87FCFA0C66036151ABFB28E13A8C58,SHA256=8D7F7B88D06A7D959999FC38B3DEE1A01D1088FB777E879AEF1149141A9787DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029942Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:09.138{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210AA06673590A65663F6C5343B4138D,SHA256=BDB2B51B004B0C8E8644EFFC8579E9CFC385575C2A20A5C64B41E6FE9B255B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:10.379{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5CA472DBB8DCF6D3A9E06FD3FF5E56,SHA256=4C6928AC4424CD484581328B0C9F3A943C2C09A51745911085D3F8C81FB5F0E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029944Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:08.971{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029943Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:10.326{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8351793F868F9241B4DD8FD7D23D779E,SHA256=A25190667A03C0BB3C1C42AF0C514C41F1FF8E5D55C21A7E0B291AE89CD55C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029945Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:11.544{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD525C062B9418BAED65CB7C75633E92,SHA256=6CF1097A826BE13DC2C002D99179A8A867B09EDA09CBF08627E5F99055A5C416,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:08.999{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:11.381{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F12ED9F829192B63B5D0496D01A366,SHA256=BC33471477EB164C183CEF06FC07AF1CE433E0C7FB0687AFFE68615D4E5905FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029946Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:12.779{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8502D3D80BFC011D569484D91A48C83A,SHA256=B13A1F231C0174D0AFF700805F0BA427BBD1369970242BD0C5691C2929430F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:12.392{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4D98556E3EFB54688A27CF76B8C100,SHA256=A4160100A547C893937A6EBDDB4D9D66D6674EAC031555CFA9CA432AFA8FF8FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029947Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:13.794{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8E6B6F53BE3353AE84F723A11C5A62,SHA256=5F849759B7B246D8E143D461D1DBAAEDE1C255E5CBECB4DFCCB1B1B376A5857F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:13.405{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9688C258FDA779B245359280524226AE,SHA256=B98BECD20645E146A185CE44669141DF91200ADFDB570458451CC66F42D5BF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029948Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:14.841{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1868DCE714BB30B4AC1A7F227A035250,SHA256=1A3F605D14BCD0AF3C9F000B1A21928EDA62040FA56A40B8679F268177EA7D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:14.415{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A4FD6BEEECB4965294DAFD7D04FBAC,SHA256=8EEAD6FD2E4EC9DD2FA57427D994E3F743F60AD4EA34C0E7EAF4CEFC95B139C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:15.448{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E204A87C4F2435EBB5FC20C1FABFB6F6,SHA256=B4ACB6C9F2AE2B96109E3B0EA3E90F8E88351D7F970205C32C14AD5B9B34596D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029949Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:14.128{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:16.470{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C932D46E30B1FD6404D4B55B70E9B000,SHA256=42A7FD16274DD7AF973676C58BDC71495FEFD892CB96AF4B6E5063DD59B302C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029950Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:16.044{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A81CD10730B4AB6B6A02DFD3826201C,SHA256=75C269DDAD62E7E7B29C177154B96EE8878147B49B444894EDB38BAF6B5DAA7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:14.969{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000067387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:16.059{43EB4363-37A7-60F5-0D00-00000000E501}8841952C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:17.471{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAD9E59FF2E28A89AE4D49B562EE834,SHA256=AD5234D395BC20CCD9EE9802B1D13D2CF4CEB045F8A1D4F2B92F031B8118DCB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029951Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:17.138{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C8B7D5DB3CD2C7A6A98878122FB001,SHA256=21F0E0FE98364677D10F5C479E5A194EE97A936CA915A4B82179D5F1BBC823A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:17.391{43EB4363-37A7-60F5-0D00-00000000E501}8841952C:\Windows\system32\svchost.exe{43EB4363-55C4-60F5-7F08-00000000E501}2180C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:17.391{43EB4363-37A7-60F5-0D00-00000000E501}8841952C:\Windows\system32\svchost.exe{43EB4363-57BB-60F5-ED0A-00000000E501}2136C:\Program Files (x86)\Microsoft\Microsoft Search in Bing\MicrosoftSearchInBing.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:18.473{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8479D8B65908B5101BD53B2CD37BE57,SHA256=FA101AC9188C5D066E1BB65EB529803F3AF302CFA627FA12B94DCBEDFFBEBBC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029952Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:18.326{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E5CD3E75754EA4711ACBF8DA50BE51A,SHA256=EA69C05B76E37B9BD186C2CF56CCF8D5EE98555F994F490183C70A746B4C8381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029953Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:19.576{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E0A57D812D97BA9D6322486E4206D8,SHA256=6B4FD947B6AC369E1F85118B65CE23FBF932320717A3EF356EA6D4F97AF9715A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:19.484{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B8883D3B7D9463182F1B1A6C1516D8,SHA256=C127FC22A330C2C97343CFEE1D844C854E5F6D42255B9167168F644E6A42CEF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029955Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:20.998{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=6019ACB3B4FCE54F12739FAF5347B223,SHA256=E65105A4EABDBA030EA2C6681A72F0BDB3EAF20B807744A5A4BA76632D327C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029954Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:20.794{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B9C956A4331D36B6636A75C60BCFA4,SHA256=6D0923E91E3E37A63D2AEEDBC647F27968C5F3261C3203D0DAE78BFB71D9A60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:20.506{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCAE13851CAEEE1214149518220867C,SHA256=4E27048EC1E7549283242443B3E7FAF8066EDD4B0B24BC2212F3C8C2EB38E5D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:21.507{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C007B059F0F1A6F12FC783AA16A7A5A,SHA256=45C4FA39A15C9327567198BED10CA0E71404B59B14083872CE4B6108EEBFD10D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029957Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:19.971{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51326-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029956Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:21.498{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:22.509{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27CAAD188838AF143512DB37C969FFD,SHA256=08D83E482231F8AC0C3CD776A804800EF9D81A1B644C8EE24EB843B3188F2629,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029959Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:21.362{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000029958Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:22.029{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB25D80BA659C68930E32A45E91E3F21,SHA256=6D954BC76559A46DDA46B9A8368D96476BA7F04466FFFB890503879B5A53D38E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:20.939{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:23.511{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098EC94272D40AF18EABE7880725301B,SHA256=D46F0C84ED2168A3F645B7CFC8F24246918F7BEBA3B5F3DBCA44906829B5A3DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029960Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:23.143{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE809F15129A43EF0BB9AF365BD85174,SHA256=BF520650F0CA5A9112E12F55F88BD50EB9CCA183FBCE9AAE7BD40BAEE35F0889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029961Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:24.299{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF67BD565D5AB9F6106049CD00703BBB,SHA256=11F0A4EDF8FD31E3B70C1BA4B932D70C79AE5F037EB414EFDA81CD8E5522BD1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:24.743{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=33FCFEBD8D0D7BFDA3E3093B8EC349EA,SHA256=74FB0CAED5A72B96CB32B24CB0E5A19ADA0615BA413AC2346386512F38D83C36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:24.512{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33220C79851AA76F5F6FD6CB75CA7DE8,SHA256=BDCC432D884CE6CC8AA2A5EA2C154C2CEA057A62FD7318E8868D31130DD886B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029962Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:25.518{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFB51628CAEE39768B16C2F96F5EB132,SHA256=F89F75F5F281058205271F03A3009AD2F43B30EA9DBC1817C29931CA86AD97AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:25.514{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A352338F5900435DA3E8F18936A258D7,SHA256=A27BADE629A063A25EE3ED7F2D04EAA7B34D3A9727BDFB51867376E36FEFC5B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029964Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:25.101{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51328-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029963Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:26.752{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BEA4BAD9048ECD9F51FC6BEEC3F4B1B,SHA256=55CDCD26206CF936E148A953E5F78C77172D11E1F65E462A8423538336CB27A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:26.515{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DF066951E56EB8949F4CB99AC59071,SHA256=667C942C6FA8897A7DE31DF3EEB7EB54C1821357B2237DBC89FC1E0107215C8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029965Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:27.987{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB94949C0E30B3A0083801D536A6B09,SHA256=220E448F99FCF4EE4E8869F5BF65C36C257B144C486A4B2346B82187187C33CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:27.517{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47866D68B7BC263FEEE6C970226CD553,SHA256=0228A9C6C5B8684EB9A27BC6C0878A0B4BCF49368881BA8FFE4FD9D818616D84,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:25.967{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:28.523{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4CD4060F5310ADB5EE5C68E059CBE8,SHA256=C68CDA6CA148D2E9ADC651CAD7476323D2EEC2F45DB3C5821DBDEF8772BD2A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:29.539{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFF0386F44292514950008EDBB41D64,SHA256=4C03BAA0F35CB0BB876FCC973367E032A68643DD87A132E43472B9CD70ABBBED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029966Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:29.018{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9376D9A69B2B51AB9BCBA6A40E6316E4,SHA256=4DB7D4747043430FB2AE9C241272920EC62E824D9F5FA564F18944F05F11A2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:30.588{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CFA444FF68FF020FCCA17ACA4C50172,SHA256=2648E044C102FA8A2C43B0D30418172E275C74FA988AB2153D5072B82CE687E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029967Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:30.174{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF478F930FF3FB6141F779D8E38C656,SHA256=33BDCE2C3B50910695F7AA3504DA353763354715285A6BBB96077AC209170503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:31.590{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83B54079D6269990F60D2F1EF72890B,SHA256=6612714A04920EC29502A9C53425DFC64431275E79D6EF732129BFBC1E350835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029968Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:31.205{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE870A7F64AAF8CFDCF1984AAD5374A6,SHA256=187742EBD5A2915FFBC8AAD36ABF909FFDFA5CA494F804E9B14DFBDC64C982F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:32.592{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07FED4FCAC4C0D2AF2871BFB4E746FF,SHA256=BACDC431E2ABFA7EFC2C83CFCB8F12D2AE9F9182AC5DB37CE13DF0CFA1C4B682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029969Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:32.440{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA1583EEC20EC1E69023B3BFC49663C,SHA256=5AC88C7E9914DBB01C603E47DA061DAC2F4023CB9680485D4FF20F33A409E1B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:33.603{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98654BE4763C852C90B1F466E3E881BE,SHA256=410A98C83B06540C145049B89833E174B89843DAACB6DA88ACBE341D2D00E541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029971Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:33.580{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D93B873E47ABEA7BE6EE357851E6037,SHA256=706B0588A959768CE1B9CC5D75694C295A6953BD50BB2242BA74E9DECE3D38EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:31.172{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029970Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:30.929{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029972Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:34.800{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E532E8976E532D3647E317063C32A26,SHA256=DFD3DC64961014B1A622B4B70C2270973E5AF009D9EB0B5E379E593A76962E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:34.634{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7468506318E5DFA150DE244374D2285E,SHA256=278F147E6D9DDBA34D338665172C7523A2761CE6EEE8CF1D227C917600A93544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029973Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:35.828{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69533DA14EA42A8B6685657F17F65FFD,SHA256=5DCC76AE91CF99053763CF9FF24E2BF4C03682F2B27E5C6A2BC9F49E42BAE8EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:35.635{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B38BD1F74749716A0E43C929FB33715,SHA256=14F8A3E04ED1A8977A175198C00608CB187B234F4D60D99EC6C20085260F503C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:36.650{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BD810432409B8A1E891326A49308B7,SHA256=650BF542995F74D8826E3371C3BCF29E4CCDB38A87586B66A9802FA8E571AFFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:37.658{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218F07F921B713B210730496010C26DC,SHA256=8D2F1DB6193CC6021123F8E492320066FA3A32269A2F65CD888B7671FEACE34C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029974Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:37.034{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F669168B1D4E2E01D312522B0BE4EB,SHA256=C9DCFF22F9A8E57C59D8D52A5AF9BAF1160B6E711BE96D9E98603355ACEF3376,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:38.662{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA4A2851B8A23F5C6FD410A52A0BB7D,SHA256=96F8481FD5DDADD0562664952327A9B5124DE9BBC8DDE2EF302E17EF2FEC6673,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029976Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:38.252{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE542AA69C5ACEAFB935DDCC5FB16B14,SHA256=74EDF96293B74CC1723DCA8BF9D57646FAB00A6DA302FC987E7B1A95CAD37535,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:37.161{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000029975Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:36.036{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51330-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:39.793{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31232059132184CB87D3C541CD6C6751,SHA256=9B13987CAC4B0A8137C21EA9629FE5C2A372D2D823E70A279D32AD8D291E7788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029977Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:39.440{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE0839721D3EF4A5526FD64F36BD35BC,SHA256=56990A1218A05CB7F80C7953D7F95FE56055EF8C1F2C2AB9417044EC3AFC403D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:40.825{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11FB1A1D836D6C73FA47C2CF787FFA7,SHA256=EF3F3D839D3B261FAB00508A2BB68FB1292DCF57A75B5A756E1A8FE4CFA503AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029978Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:40.565{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFCCBF10D2A31099F47A59A609BAB39,SHA256=A775EFF30A5D0B56DDF974968AECCED7229B0E97967CFEE81AF2E257FC7AF691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:41.846{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB2196FA38C7A0AFC4EBF89FEA54924,SHA256=13B0098CF6C47F786F614FE69C4F28502778301332C5A4221A9B1B7F5E92D057,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029979Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:41.580{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9CEF26551F06B66D0A48050530844A5,SHA256=A07055241774B1A82B524118FB7E2DDFC1DDB4606CF815745DA6AC6740AF0DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029980Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:42.816{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F868F6B324F17C1214CB4A4DCAC05A03,SHA256=7576B8CDA19946F88E49BC2FB07B3E440C948C489D2DB042D50EBC4BEA8088D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:42.848{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA39635E972F54ADF93418C9FA1E6F21,SHA256=3A161A7C70BD767191E2FBB685A6874BC37AD17FC0CD0F071B4C2F6D95A80E46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:43.849{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9510923DCE914EDD7C63CF0E53FFA16,SHA256=96C3ED7B1A71F9E447151CCA61336158D77C88E488938EBEF254589B96619458,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029981Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:41.116{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.886{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF74CCB6EE4CF98C67CD68663FC214B,SHA256=9C632306B7E936F926A1DD6D475D4196B5735F62E3E2E639DF51FAA7AD8FE965,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.728{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.728{43EB4363-564C-60F5-CA08-00000000E501}6696ATTACKRANGE\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-walMD5=E83600EA9458B71068AE9640EB6B4770,SHA256=29E9C6B4449C91368FE43F1EE29E6133FCDF202050F382E92A549EE2F615ED15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.728{43EB4363-564C-60F5-CA08-00000000E501}6696ATTACKRANGE\AdministratorC:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db-shmMD5=241B8A0809CD426DBB96FA8ECC781356,SHA256=C5EEE32D3138188B6AA8E5154FF98F93717A7508DD36880C20070372DA4E3502,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.590{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.590{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.590{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.580{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.580{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.580{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:44.580{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-564C-60F5-CA08-00000000E501}6696C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000067424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:43.111{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65223-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029982Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:44.050{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03201242DE12814ADE9CED0F3E3669B,SHA256=9CE30AEA3813BA45C5F41D91B045594821494D3DCABB1708AD01E0D3B0A609D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:45.916{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC15807823A552CB18C045AAABB20DE,SHA256=F7B641822B925C3958A70E727D8E8817B180A472AFB17C5E95435B0769E53026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029983Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:45.082{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4F4C07D072E9C491743F6E52A7B4C2,SHA256=970A81685C9356CF679DC4D8BF352C1CEE78317AA8AC1B86163D4DCCF27358B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:46.946{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D29C7D886FEFB06E56A008F40C6B19C,SHA256=5C4D09703CB72644802FE59F4DF0FE4B492FA3B3641A402C8F729F43D800C22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029984Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:46.144{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607630EE9FF24EF1225B5990509BD5CB,SHA256=383C3681FCA4C693C729DC7556FC068D8EA1129794FC9AF0EAA40B9A40F38C7F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000067441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-VerSetValue2021-07-19 10:51:46.846{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe\REGISTRY\A\{826089b5-2077-0a1a-187c-385a32ec395b}\Root\InventoryApplicationFile\officec2rclient.|62d1554663c79908\BinProductVersion16.0.13127.21668 13241300x800000000000000067440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-19 10:51:46.846{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe\REGISTRY\A\{826089b5-2077-0a1a-187c-385a32ec395b}\Root\InventoryApplicationFile\officec2rclient.|62d1554663c79908\LinkDate06/05/2021 06:14:29 13241300x800000000000000067439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:51:46.846{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe\REGISTRY\A\{826089b5-2077-0a1a-187c-385a32ec395b}\Root\InventoryApplicationFile\officec2rclient.|62d1554663c79908\Publishermicrosoft corporation 13241300x800000000000000067438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PathSetValue2021-07-19 10:51:46.846{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exe\REGISTRY\A\{826089b5-2077-0a1a-187c-385a32ec395b}\Root\InventoryApplicationFile\officec2rclient.|62d1554663c79908\LowerCaseLongPathc:\program files\common files\microsoft shared\clicktorun\officec2rclient.exe 13241300x800000000000000067437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDBSetValue2021-07-19 10:51:46.746{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeBinary Data 23542300x800000000000000067443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:47.964{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615127DB57CB56BBF6982A8D987C3756,SHA256=48F7BF2B90559ECD41B6C114E2A7D538825644F8A42B48861D8A0909220F9719,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029985Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:47.175{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D009A54B4D114AB150C0BC086EBD60F7,SHA256=E48853BD442D9FA8890CB2F2A7ACD45582C030968527E151E0ADC21FE7A5D0F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:48.982{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE483E361872186B1970A5B70175DD3B,SHA256=8B7B94C46FF8D2CC4B117E5EF6100F967925491208ADE7E85AB2DDE77384326B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029987Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:47.008{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029986Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:48.191{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FEF3422E3D24790E7D567AE8FB7A4C,SHA256=8767B04F21E687E8B20E8DDEC1F9017B837003C4ABAE46AC1087282EA995021F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:49.982{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A515F4A910E7DADF9FABBD4963234E5D,SHA256=753D04F54CAEF9EDF9636039544624E9BFA31D7231528A5973AC74C96E9BE16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029988Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:49.347{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70DED90F1B3013F0404D5E1A2101255,SHA256=B0C7D7D1FF7F83C9CC75902C53D77E50B2A013B9F24D3BC612AA86508AC34D1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:48.194{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000029989Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:50.347{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7874A373290430BBDA690342470CDAF8,SHA256=2687CF4C5B7CBA9136C3E80824412CC7C48FEB49319947E5AE9A1B8A1B881129,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:50.313{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5946-60F5-EB0C-00000000E501}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:50.313{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:50.313{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:50.313{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:50.313{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:50.313{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5946-60F5-EB0C-00000000E501}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:50.313{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5946-60F5-EB0C-00000000E501}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:50.314{43EB4363-5946-60F5-EB0C-00000000E501}6644C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029990Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:51.379{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1977B1F88B46A24BF2C8886BB0E1648E,SHA256=14995EE1DC26DBE17221BAA39564D3DE520EC1308FBE8ABC873890360FF7D585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.543{43EB4363-5947-60F5-EC0C-00000000E501}80887828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000067466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:51:51.343{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFFBinary Data 10341000x800000000000000067465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.343{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5947-60F5-EC0C-00000000E501}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.343{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.343{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.343{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.343{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.343{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5947-60F5-EC0C-00000000E501}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.343{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5947-60F5-EC0C-00000000E501}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.344{43EB4363-5947-60F5-EC0C-00000000E501}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.328{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53E890AB39F579C9FF4D980808D6F10A,SHA256=1C9F1C89BA05112F582F1884FAFA486950574E2197AB9C31A5BFFB13BAFD1FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.328{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BAB6BD58A33755CB18A29771BCF8954,SHA256=5DC415BB97611335DC7657398EABE4A7DD8E1D74A64ECEE9391946D0CE896EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:50.996{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9103135419ACAB5BEFBB9672593FE3B1,SHA256=441CAFE53D3CF8F1C2D164E3FDD21DBA57212E0CC436C3DBA8C44127F5CD4C04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000029991Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:52.597{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB7EF63EF1C85CD0FC7E49C15A9973F,SHA256=59210BA2A96E78852B2A82B00608D04EF940FB72FE7C8A199F915B79A9CFE351,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:52.858{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:52.344{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53E890AB39F579C9FF4D980808D6F10A,SHA256=1C9F1C89BA05112F582F1884FAFA486950574E2197AB9C31A5BFFB13BAFD1FFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.997{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=077E46FFFB6BE31901553C8AD6231149,SHA256=F02A7356FCC333BE156BA66E2C177F2C1C66B570F1463C206FA68549CEA7E8C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.997{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5947-60F5-ED0C-00000000E501}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.997{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.997{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.997{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.997{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.997{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5947-60F5-ED0C-00000000E501}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.997{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5947-60F5-ED0C-00000000E501}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:51.997{43EB4363-5947-60F5-ED0C-00000000E501}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029992Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:53.832{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6DB9041D673E5CB0A1FC2B69503D4FE,SHA256=C4C27FC7A558CDF4A5A43D633ECDF871A62448294632EF758C1F69D3611D11FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.880{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.880{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.880{43EB4363-55C5-60F5-8808-00000000E501}46328148C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.880{43EB4363-55C5-60F5-8808-00000000E501}46328148C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.842{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.842{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.826{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.811{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000067504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.811{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x800000000000000067503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.811{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.795{43EB4363-55C5-60F5-8808-00000000E501}46325512C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.795{43EB4363-55C4-60F5-7D08-00000000E501}24645444C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.795{43EB4363-55C4-60F5-7D08-00000000E501}24645444C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.795{43EB4363-55C5-60F5-8808-00000000E501}46325512C:\Windows\Explorer.EXE{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.795{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000067497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.795{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000067496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A7-60F5-0D00-00000000E501}884912C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A7-60F5-0D00-00000000E501}884912C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A7-60F5-0D00-00000000E501}884912C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A7-60F5-0D00-00000000E501}884912C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A7-60F5-0D00-00000000E501}884912C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A7-60F5-0D00-00000000E501}884912C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-55C5-60F5-8808-00000000E501}46323800C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.780{43EB4363-55C5-60F5-8808-00000000E501}46323800C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.479{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-37A2-60F5-0100-00000000E501}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000067479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.011{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E6056B50CCEDCCF68B4A4AC638D76C1,SHA256=B3C07ED0266C48E52B01384C29FD2A478CACDB875D298B26DE75A90AA7A2B3AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000029993Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:52.931{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000067542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.884{43EB4363-594A-60F5-EF0C-00000000E501}12924656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.731{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-594A-60F5-EF0C-00000000E501}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.716{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.716{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.716{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.716{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.716{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-594A-60F5-EF0C-00000000E501}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.716{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-594A-60F5-EF0C-00000000E501}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.716{43EB4363-594A-60F5-EF0C-00000000E501}1292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000067533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.425{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65229-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 354300x800000000000000067532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.425{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65229-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local445microsoft-ds 354300x800000000000000067531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.416{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65228-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local49666- 354300x800000000000000067530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.416{43EB4363-37A7-60F5-1400-00000000E501}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65228-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local49666- 354300x800000000000000067529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.415{43EB4363-37A7-60F5-0D00-00000000E501}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65227-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local135epmap 354300x800000000000000067528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.415{43EB4363-37A7-60F5-1400-00000000E501}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65227-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local135epmap 354300x800000000000000067527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.301{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-876.attackrange.local65226-false10.0.1.14win-dc-876.attackrange.local389ldap 354300x800000000000000067526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.301{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65226-false10.0.1.14win-dc-876.attackrange.local389ldap 354300x800000000000000067525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.294{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65225-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000067524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.294{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65225-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 23542300x800000000000000067523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.384{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47CB287F2507857C06BD6748B41A44FD,SHA256=9FECAD939615AAAD5F9D7B83E17D0B98E2DA7082CCCD86B9D446D12511849740,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.268{43EB4363-594A-60F5-EE0C-00000000E501}80328100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.127{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79A13C47E6BD2659C1E0241B23281D8,SHA256=499C6F635C03B1A1688715AE7D9AB0E21CCD93A4E7B3AB4562F4ABC5B8F666FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.042{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-594A-60F5-EE0C-00000000E501}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.042{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.042{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.042{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.042{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-594A-60F5-EE0C-00000000E501}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.042{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.042{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-594A-60F5-EE0C-00000000E501}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.043{43EB4363-594A-60F5-EE0C-00000000E501}8032C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030008Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.582{53AF6CEB-594B-60F5-3306-00000000E601}944572C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030007Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-594B-60F5-3306-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030006Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030005Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030004Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030003Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030002Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030001Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030000Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029999Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029998Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000029997Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-594B-60F5-3306-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000029996Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.410{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-594B-60F5-3306-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000029995Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.411{53AF6CEB-594B-60F5-3306-00000000E601}944C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000029994Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:55.004{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A11DBE9EE6274F7255307C006AEFF24,SHA256=08C1F7297DF0AF260FB02F306BBF912145C895359E5FF4DBD4F30D9C10B98279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.730{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58C591C66A27F8D12EAAD51B45B62282,SHA256=A5CF36014A4E4B9752F111898EBBF988AC42481D076821C791B8D118E66077DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.730{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-594B-60F5-F00C-00000000E501}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.730{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.730{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.730{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.730{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.730{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-594B-60F5-F00C-00000000E501}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.730{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-594B-60F5-F00C-00000000E501}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.731{43EB4363-594B-60F5-F00C-00000000E501}1312C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000067548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.644{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65230-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000067547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.644{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65230-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 23542300x800000000000000067546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.583{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A4BD3817262333A2F1DCA360A1034BF5,SHA256=BE1B184ED25E3ADCFC4DF80E92BFB57D619D5771B60F2A15B77BB6ED4C166954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.583{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6C3E94CC32DA04D49FAF387E9F69ACAF,SHA256=21EEEF68215D605F082589895168411B5C42FB5C17C67B825E65660E98B120A0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000067544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:53.416{43EB4363-37A7-60F5-1400-00000000E501}1100win-dc-876.attackrange.local0fe80::f105:4095:771:5c2f;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 23542300x800000000000000067543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:55.131{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114C5EA357A9D33B39F79DD58FE6F166,SHA256=A88C20B7318B5EDFB61B97DD2844CEA92E3779B5FCE8F624B13988E16252C185,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:54.091{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.735{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B77F7D12EFAB5A03798CA1BA010C2BBB,SHA256=EACEB8917E8E830D775899AA7F0DC82FFA287E1E04EEDFD1481DE4333832273C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.678{43EB4363-594C-60F5-F10C-00000000E501}61726344C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.367{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.367{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.367{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-594C-60F5-F10C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.367{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.367{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.364{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-594C-60F5-F10C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.364{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-594C-60F5-F10C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.363{43EB4363-594C-60F5-F10C-00000000E501}6172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:56.183{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=466912CEFCEE6478EC7980219CB50358,SHA256=B527877AED12EF598E2134DD7488ABB4F7C1626DE49B9172A90DB7CB060AE77B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030037Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-594C-60F5-3506-00000000E601}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030036Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030035Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030034Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030033Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030032Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030031Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030030Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030029Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030028Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030027Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-594C-60F5-3506-00000000E601}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030026Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-594C-60F5-3506-00000000E601}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030025Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.754{53AF6CEB-594C-60F5-3506-00000000E601}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030024Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.425{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75B8391128551E713D7FF7866E911558,SHA256=84BDA51EA1EF8A8364C88C4F8D87BE1A4B7A66963871CAD46B227FEE90C5ED7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030023Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.425{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC115423466ED02126F98ACECEE8A710,SHA256=130033CC94B1939073A6389E16AFB60FAB3867ABD87BC6C34AA363D0E55189AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030022Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28C71E04FF98AB6BC2BB91E61604BF8E,SHA256=5A4A1E989B1616127D6273E4E2538AE3C471159DA58F5A243B78D2998BBB194E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030021Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-594C-60F5-3406-00000000E601}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030020Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030019Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030018Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030017Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030016Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030015Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030014Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030013Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030012Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030011Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-594C-60F5-3406-00000000E601}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030010Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.082{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-594C-60F5-3406-00000000E601}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030009Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:56.083{53AF6CEB-594C-60F5-3406-00000000E601}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000067599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.698{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.698{43EB4363-55C4-60F5-7D08-00000000E501}24645444C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.698{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.698{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.698{43EB4363-55C4-60F5-7D08-00000000E501}24645444C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.698{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x800000000000000067593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.567{43EB4363-55D1-60F5-9B08-00000000E501}640ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VP1F0BXW\microsoft.windows[1].xmlMD5=4D7C6509FBB64A48956B141D974B0691,SHA256=458925613A809D11B923013480E3F16BC714AA715D33A550849F12507BC6D2C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.552{43EB4363-37A7-60F5-1600-00000000E501}12723148C:\Windows\system32\svchost.exe{43EB4363-594D-60F5-F30C-00000000E501}692C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.552{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-594D-60F5-F30C-00000000E501}692C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.552{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-594D-60F5-F30C-00000000E501}692C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.549{43EB4363-55C1-60F5-7208-00000000E501}45563352C:\Windows\system32\csrss.exe{43EB4363-594D-60F5-F30C-00000000E501}692C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.547{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-594D-60F5-F30C-00000000E501}692C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.547{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-594D-60F5-F30C-00000000E501}692C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.512{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.512{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.493{43EB4363-37A7-60F5-1600-00000000E501}12723148C:\Windows\system32\svchost.exe{43EB4363-594D-60F5-F20C-00000000E501}4380C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.493{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-594D-60F5-F20C-00000000E501}4380C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.480{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-594D-60F5-F20C-00000000E501}4380C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.430{43EB4363-55D1-60F5-9B08-00000000E501}640ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VP1F0BXW\microsoft.windows[1].xmlMD5=4D7C6509FBB64A48956B141D974B0691,SHA256=458925613A809D11B923013480E3F16BC714AA715D33A550849F12507BC6D2C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.413{43EB4363-55C1-60F5-7208-00000000E501}45563352C:\Windows\system32\csrss.exe{43EB4363-594D-60F5-F20C-00000000E501}4380C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x800000000000000067579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.413{43EB4363-55D1-60F5-9B08-00000000E501}640ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VP1F0BXW\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.413{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-594D-60F5-F20C-00000000E501}4380C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.413{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-594D-60F5-F20C-00000000E501}4380C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.413{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.413{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x800000000000000067574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.229{43EB4363-55D1-60F5-9B08-00000000E501}640ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VP1F0BXW\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.214{43EB4363-55D1-60F5-9B08-00000000E501}640ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\VP1F0BXW\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.214{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000067571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.214{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:57.198{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FDFE2DAF8197C1FA91199511AA60866,SHA256=B7446DF257862452F0746646087F0DB1BE5E2CA8F880D9DCFDB75876FFAE5141,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030052Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.910{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=75B8391128551E713D7FF7866E911558,SHA256=84BDA51EA1EF8A8364C88C4F8D87BE1A4B7A66963871CAD46B227FEE90C5ED7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030051Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-594D-60F5-3606-00000000E601}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030050Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030049Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030048Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030047Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030046Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030045Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030044Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030043Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030042Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030041Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-594D-60F5-3606-00000000E601}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030040Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.832{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-594D-60F5-3606-00000000E601}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030039Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.833{53AF6CEB-594D-60F5-3606-00000000E601}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030038Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:57.175{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F30EDE8F7F3788E7E7F970F59C09E0,SHA256=74F24B595D79AE3F33CBD6FCF8934C51F619DF8800ABF8BC0DD2E0F07A14583A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:58.419{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CD658EEAEF8C5E162D6D2AD26388833,SHA256=C416D961A2D7F42AC90B1CE8FD24F0B96EFB4FEEB3646EF157AE159E9430631E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:58.403{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DB2A10D905D6281773146C6B52D652,SHA256=2B7EB581160E1877365FE226EF1EE274004546E8F82F187D10108434273C2DF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030067Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-594E-60F5-3706-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030066Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030065Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030064Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030063Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030062Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030061Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030060Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030059Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030058Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030057Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-594E-60F5-3706-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030056Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.972{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-594E-60F5-3706-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030055Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.973{53AF6CEB-594E-60F5-3706-00000000E601}728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030054Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.269{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82D4219AE3CBEE0C8C42C96517F2772D,SHA256=1C98DBC530CB96DE3FAF6D36397A2768E7864CBEF6108874FFE878C7BD321095,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030053Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.035{53AF6CEB-594D-60F5-3606-00000000E601}34281340C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030084Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.832{53AF6CEB-594F-60F5-3806-00000000E601}32083956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000030083Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:58.009{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000030082Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-594F-60F5-3806-00000000E601}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030081Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030080Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030079Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030078Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030077Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030076Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030075Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030074Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030073Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030072Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-594F-60F5-3806-00000000E601}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030071Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.644{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-594F-60F5-3806-00000000E601}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030070Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.645{53AF6CEB-594F-60F5-3806-00000000E601}3208C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030069Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.347{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C34CCF2ACBF95E4ADF6073A599563E,SHA256=B43CF3BEA6ED4151F227C1903DA4445088BB600B320C0F207C8EFC172263FA7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.557{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAE8BB974F166406887D1D756EC9C89,SHA256=9AD54550AC35EA430F15133D4E4C2A15D2696A459D4090E2F081396FC9B324A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.552{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=509FFBD9C3FE1803F1104BA738E2CA84,SHA256=CB73C25018B629B9B8F9648F1884DE5D5CDB23C318952A103F9D2528A390BA07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.473{43EB4363-37A7-60F5-0D00-00000000E501}8844836C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.473{43EB4363-37A7-60F5-0D00-00000000E501}8844836C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.473{43EB4363-37A7-60F5-0D00-00000000E501}8844836C:\Windows\system32\svchost.exe{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.473{43EB4363-37A7-60F5-0D00-00000000E501}8844836C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.355{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.355{43EB4363-37A6-60F5-0C00-00000000E501}8284892C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.354{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.354{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.100{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.100{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.100{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.100{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.100{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.100{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.100{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.100{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.072{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.072{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.072{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.072{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.072{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.072{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.072{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.072{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.053{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.053{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.053{43EB4363-55C4-60F5-7D08-00000000E501}24645444C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.053{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.053{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.053{43EB4363-55C4-60F5-7D08-00000000E501}24645444C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.052{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.052{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000030068Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:51:59.207{53AF6CEB-594E-60F5-3706-00000000E601}7281632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030086Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:00.488{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60022B55CD542438FF026E67216E5DE,SHA256=61465092C29E50D75EBEC26C315635AF43004F175EDAAF74B900C0B722385617,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:51:59.183{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.487{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243DC96583CB12B8B0DF050F332298AB,SHA256=04A477F83DE08AD9ABD9D8A40933B207531EFB2CC4455F8C1FF6514D7EEE25BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030085Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:00.004{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B9BBD995EFCF92F99EA763B87EB02AD,SHA256=3CD05395A184BA27DC87A6F2A2DE1BF0B9B2BE4340E05F2A35EDB409761CB747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.112{43EB4363-37A7-60F5-1600-00000000E501}12723148C:\Windows\system32\svchost.exe{43EB4363-5950-60F5-F40C-00000000E501}4896C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.112{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-5950-60F5-F40C-00000000E501}4896C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.107{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-5950-60F5-F40C-00000000E501}4896C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.103{43EB4363-55C1-60F5-7208-00000000E501}45563352C:\Windows\system32\csrss.exe{43EB4363-5950-60F5-F40C-00000000E501}4896C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.088{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5950-60F5-F40C-00000000E501}4896C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.088{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-5950-60F5-F40C-00000000E501}4896C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.088{43EB4363-55C4-60F5-7D08-00000000E501}24647740C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+1475b6|C:\Windows\System32\windows.storage.dll+148f18|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000067646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.072{43EB4363-55C4-60F5-7D08-00000000E501}24647740C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+ba4b0|C:\Windows\System32\windows.storage.dll+ebb84|C:\Windows\System32\windows.storage.dll+e927b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea 10341000x800000000000000067645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.072{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.072{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.056{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.056{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.056{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.056{43EB4363-55C4-60F5-7D08-00000000E501}24645396C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.056{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.056{43EB4363-55C4-60F5-7D08-00000000E501}24645476C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x800000000000000067637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.056{43EB4363-55C4-60F5-7D08-00000000E501}24645444C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:00.056{43EB4363-55C4-60F5-7D08-00000000E501}24645444C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x800000000000000030100Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.722{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB73CC7C52C5D2618F8E7485C975A417,SHA256=273E2810F42FC397BF066F5A8A533C9A50E39F71D0461158814A38C9EB1A45ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.871{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4c224|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4dd30|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+584fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+57f5f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+56e48|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.855{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+73c87|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+7522e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+14519|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a430|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000067683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.855{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+2d73e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+16070|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+15184|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17233|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a40c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 10341000x800000000000000067682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.833{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+976c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000067681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDBSetValue2021-07-19 10:52:01.702{43EB4363-37A7-60F5-1000-00000000E501}368C:\Windows\System32\svchost.exeHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEBinary Data 10341000x800000000000000067680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.702{43EB4363-37A7-60F5-1000-00000000E501}368364C:\Windows\System32\svchost.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.686{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000067678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.686{43EB4363-55C5-60F5-8808-00000000E501}46324716C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000067677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.655{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.655{43EB4363-55C5-60F5-8808-00000000E501}46328148C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.655{43EB4363-55C5-60F5-8808-00000000E501}46328148C:\Windows\Explorer.EXE{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.655{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.654{43EB4363-55C1-60F5-7208-00000000E501}45563352C:\Windows\system32\csrss.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.654{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.654{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.653{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.653{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.652{43EB4363-55C4-60F5-7D08-00000000E501}24644672C:\Windows\System32\RuntimeBroker.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\system32\windows.cortana.Desktop.dll+42239|C:\Windows\system32\windows.cortana.Desktop.dll+318b3|C:\Windows\system32\windows.cortana.Desktop.dll+320d4|C:\Windows\system32\windows.cortana.Desktop.dll+7e45|C:\Windows\system32\windows.cortana.Desktop.dll+81c6|C:\Windows\system32\windows.cortana.Desktop.dll+8209 154100x800000000000000067667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.626{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13127.21668Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exe"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE" C:\Windows\system32\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=1E202F32969E42DE1E80CA9B091E32FB,SHA256=0A395756F676210C91DC8F91E9F39F4CB65B6F4D35E80DDDE6F27D2E8B8636C8,IMPHASH=21DECB0B7EE3F890B1FF9B6C42996CAE{43EB4363-55C4-60F5-7D08-00000000E501}2464C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding 10341000x800000000000000067666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.602{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.602{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.602{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.602{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.602{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.602{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.602{43EB4363-55C4-60F5-7D08-00000000E501}24647740C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+b7dcd|C:\Windows\System32\windows.storage.dll+ba4b0|C:\Windows\System32\windows.storage.dll+ebb84|C:\Windows\System32\windows.storage.dll+e927b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15f51|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\windows.cortana.onecore.dll+12bc0 10341000x800000000000000067659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.586{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x800000000000000067658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.586{43EB4363-55C4-60F5-7D08-00000000E501}24646084C:\Windows\System32\RuntimeBroker.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x800000000000000067657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.502{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE854E07124CA8F46701F44123E01F1E,SHA256=FFA271A95C2F48E5ECED54DACFAFE40A5D343ED6D217B2ACC90BE06A817DE802,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030099Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5951-60F5-3906-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030098Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030097Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030096Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030095Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030094Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030093Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030092Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030091Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030090Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030089Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5951-60F5-3906-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030088Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.316{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5951-60F5-3906-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030087Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:01.317{53AF6CEB-5951-60F5-3906-00000000E601}3976C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000067656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:01.103{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E336C4D839FD8A657048C81C04A9BD6,SHA256=0684F3BE548D53491F7824860DEDF358B53624ECB73A1E2F64D670726DB5061D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030102Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:02.957{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA8660D9BCD338FF590C3810527C856,SHA256=1A61ED91E2C4D73711DAEE3F1F98D2BD94091119788E8A1F41778AE9E72FE0AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:02.744{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750571FC414238CCE8EA768964D5E42A,SHA256=49A787EBDC9EE2A2FFC6337B46A26DCCD6D91D1FE1FFCD4F314CD70556531955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:02.744{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FD9D255ACD7ED5B7B6C943B944529D8,SHA256=C4AE501469612E4D116507EA9BBF756E51DA7F9EAC3F90121A1CBCF795426CA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030101Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:02.347{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A47EAB56DB6D5D5C215827C6F48391A2,SHA256=61AD074DE97D3CD1E4A4E8503F8C5C6BFE83D2282B68A43B4DEFE19E48A6FBCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.941{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B09A97FA8434F94EE2A1F9DA4E5EDB22,SHA256=CA4CBDB96904FA1F6245ACBBDB82E5D945AC5AC3A4BE2FE5AC165133E7BE14E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.941{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2FE9B4D9FEAEC69FEA33F3B278CCB3BA,SHA256=54565BF5DCCCE5ADC9BC0E8418ABBA803BBC280AF9B58586AC1CD4873410B14B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.941{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-5953-60F5-F70C-00000000E501}6640C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.941{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-5953-60F5-F70C-00000000E501}6640C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.925{43EB4363-37A4-60F5-0A00-00000000E501}6081020C:\Windows\system32\services.exe{43EB4363-5953-60F5-F60C-00000000E501}4316C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.925{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-5953-60F5-F60C-00000000E501}4316C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.925{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.904{43EB4363-37A7-60F5-1600-00000000E501}12727760C:\Windows\system32\svchost.exe{43EB4363-5953-60F5-F70C-00000000E501}6640C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.888{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-5953-60F5-F70C-00000000E501}6640C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.857{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5953-60F5-F60C-00000000E501}4316C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.857{43EB4363-37A4-60F5-0A00-00000000E501}6082808C:\Windows\system32\services.exe{43EB4363-5953-60F5-F60C-00000000E501}4316C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.841{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.841{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.841{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.841{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5953-60F5-F70C-00000000E501}6640C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.841{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-5953-60F5-F70C-00000000E501}6640C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.825{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.825{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.825{43EB4363-37A5-60F5-0B00-00000000E501}6247612C:\Windows\system32\lsass.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.825{43EB4363-55C4-60F5-8108-00000000E501}36921008C:\Windows\system32\taskhostw.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.825{43EB4363-55C4-60F5-8108-00000000E501}36921008C:\Windows\system32\taskhostw.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.794{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.794{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.794{43EB4363-37A5-60F5-0B00-00000000E501}6247612C:\Windows\system32\lsass.exe{43EB4363-37A4-60F5-0A00-00000000E501}608C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.747{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B8EFDDBFBCA833676465B1B7D91C90,SHA256=BA63AF8767EE96AEE03BE62F8995B5C9438E17A483173D5D8B975C85B7400A57,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000067710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-07-19 10:52:03.725{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\16.0\Common\Identity\Identities\administrator@attackrange.local_AD\FriendlyName(Empty) 10341000x800000000000000067709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.657{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.641{43EB4363-37A5-60F5-0B00-00000000E501}6247612C:\Windows\system32\lsass.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.641{43EB4363-37A5-60F5-0B00-00000000E501}6247612C:\Windows\system32\lsass.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000067706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1137SetValue2021-07-19 10:52:03.457{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Outlook\Addins\AccessAddin.DC\CommandLineSafeDWORD (0x00000000) 13241300x800000000000000067705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1137SetValue2021-07-19 10:52:03.457{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Outlook\Addins\AccessAddin.DC\LoadBehaviorDWORD (0x00000002) 13241300x800000000000000067704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1137SetValue2021-07-19 10:52:03.457{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Outlook\Addins\AccessAddin.DC\FriendlyNameMicrosoft Access Outlook Add-in for Data Collection and Publishing 13241300x800000000000000067703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1137SetValue2021-07-19 10:52:03.457{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Outlook\Addins\AccessAddin.DC\DescriptionThe Add-in allows Microsoft Access to integrate with and enable automated scenarios around Data Collection and Publishing around user created Access solutions 13241300x800000000000000067702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-07-19 10:52:03.442{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Word\Addins\OneNote.WordAddinTakeNotesService\FriendlyNameOneNote Notes about Word Documents 13241300x800000000000000067701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-07-19 10:52:03.442{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\PowerPoint\Addins\OneNote.PowerPointAddinTakeNotesService\FriendlyNameOneNote Notes about PowerPoint Presentations 13241300x800000000000000067700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1176SetValue2021-07-19 10:52:03.442{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButtonYes 13241300x800000000000000067699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1137SetValue2021-07-19 10:52:03.442{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\LoadBehaviorDWORD (0x00000003) 13241300x800000000000000067698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1137SetValue2021-07-19 10:52:03.442{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\CommandLineSafeDWORD (0x00000000) 13241300x800000000000000067697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1137SetValue2021-07-19 10:52:03.442{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\FriendlyNameMicrosoft SharePoint Server Colleague Import Add-in 13241300x800000000000000067696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1137SetValue2021-07-19 10:52:03.442{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Outlook\Addins\ColleagueImport.ColleagueImportAddin\DescriptionThe Add-in allows Microsoft SharePoint Server to import colleague suggestions based on your Outlook content 13241300x800000000000000067695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:52:03.426{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\ocsmeet_auto_file\shell\open\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\lync.exe" "%%1" 13241300x800000000000000067694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localT1042SetValue2021-07-19 10:52:03.426{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500_Classes\ocsmeet_auto_file\shell\edit\command\(Default)"C:\Program Files\Microsoft Office\Root\Office16\lync.exe" "%%1" 13241300x800000000000000067693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-07-19 10:52:03.426{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Excel\Addins\AdHocReportingExcelClientLib.AdHocReportingExcelClientAddIn.1\FriendlyNameMicrosoft Power View for Excel 13241300x800000000000000067692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localContext,DeviceConntectedOrUpdatedSetValue2021-07-19 10:52:03.426{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\Excel\Addins\PowerPivotExcelClientAddIn.NativeEntry.1\FriendlyNameMicrosoft Power Pivot for Excel 10341000x800000000000000067691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.394{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.394{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.377{43EB4363-37A7-60F5-1600-00000000E501}12723148C:\Windows\system32\svchost.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.377{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067753Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.948{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=72084593D73B2B4762FDEB9BDDADD9E9,SHA256=AF32BDBB076666C40337EA59725415267FF417D4F1D1BD5C0A27A7BAFAD05D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067752Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.947{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A4BD3817262333A2F1DCA360A1034BF5,SHA256=BE1B184ED25E3ADCFC4DF80E92BFB57D619D5771B60F2A15B77BB6ED4C166954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.852{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.820{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27B18484A7FFB68F26FE77BD49814ECC,SHA256=7746595751CCA3A8AED6F702314D4B6D057CB002E1482DE24707F86A631A6997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.820{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=005DF88EC3932481974AE3F49D04CA7E,SHA256=02DF4CACE53A14754E4ACD4DA66C2F921F1A4F0B53E35CE5AD22091C0EB9E5B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030104Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:03.117{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030103Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:04.191{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E3674F637CEE1C23072530DC79A967E,SHA256=0B45CE3DDE3FFDB4750E4E1FC4AF52D316419A3BEA593866E3BC1FA460F6F895,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000067748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:52:04.567{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\CurrentSkuIdAggregationForApp\Publisher{3AD61E22-E4FE-497F-BDB1-3E51BD872173} 23542300x800000000000000067747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.552{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=51D0C5F0204A16E3DDD009D651179841,SHA256=F7CB9E754A405700204BC2AA2FAA4814D32802A7AA23D9ED5A1E06B773453391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.460{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=11237F2D074A2066DB28D937370C17BB,SHA256=B64D1E7B5FA576F32A57BF6D9D47A793C6A82E7D200F1EF615354214974A0F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.427{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=59C4B9867F2517116511AF374B0EB1BF,SHA256=EEB44DD405C3E9468A4EBE05C35CAC75397F09245F6B690147D8E1F01E2767F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.425{43EB4363-5953-60F5-F60C-00000000E501}43166316C:\Windows\system32\sppsvc.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x800000000000000067743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.425{43EB4363-5953-60F5-F60C-00000000E501}43166316C:\Windows\system32\sppsvc.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.391{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=590FA7ABEED0E7CC0312F0EDACDC9E54,SHA256=0285A1CCD112EA2A5157E7DCDF7226897869C78AA6158BD1CCB24D60695B4F2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.390{43EB4363-5951-60F5-F50C-00000000E501}81806540C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C4-60F5-7C08-00000000E501}3780C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b74a3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b7443|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b73b6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b6d5d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+159924|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+3ad8e|C:\Program Files\Microsoft Office\root\Office16\wwlib.dll+1f2072|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.368{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=766FD7CA99CBD3E6508F4962CF40BF40,SHA256=9DB95B742F2EC8ED404884996A46CBAD4C661FAA4616A0ACF70E7B29E43CA4AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.262{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.261{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.119{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B09A97FA8434F94EE2A1F9DA4E5EDB22,SHA256=CA4CBDB96904FA1F6245ACBBDB82E5D945AC5AC3A4BE2FE5AC165133E7BE14E8,IMPHASH=00000000000000000000000000000000falsetrue 734700x800000000000000067736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.825{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000030105Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:05.394{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A0B7368F85A9561CA7B59106CDEF290,SHA256=55B226B6E7777DDC7E3E0C38213F22C67746424B06B21C90EEBD72E5EC574925,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067768Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.355{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-876.attackrange.local65238-false10.0.1.14win-dc-876.attackrange.local3268msft-gc 354300x800000000000000067767Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.355{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65238-false10.0.1.14win-dc-876.attackrange.local3268msft-gc 354300x800000000000000067766Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.315{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65236-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000067765Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.315{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65236-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000067764Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.895{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65235-false13.107.18.11-443https 354300x800000000000000067763Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.883{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local55005- 354300x800000000000000067762Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.883{43EB4363-37A7-60F5-1400-00000000E501}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local55005-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domain 354300x800000000000000067761Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.752{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65233-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000067760Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.752{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65233-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 22542200x800000000000000067759Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.884{43EB4363-5951-60F5-F50C-00000000E501}8180attackrange.local0::ffff:10.0.1.14;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x800000000000000067758Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.754{43EB4363-5951-60F5-F50C-00000000E501}8180win-dc-876.attackrange.local0fe80::f105:4095:771:5c2f;::ffff:10.0.1.14;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 23542300x800000000000000067757Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:05.827{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD4355044734EE09D8BC5A2B8B9B1405,SHA256=B340004C451D78674B7FF76C69ABB701EBB53C30A56EFAE28D09EB55010B65D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067756Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:05.475{43EB4363-55C5-60F5-8808-00000000E501}46324200C:\Windows\Explorer.EXE{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067755Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:05.469{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067754Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:05.469{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000067784Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.911{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53530- 354300x800000000000000067783Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.769{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x800000000000000067782Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.943{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067781Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.943{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067780Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.943{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 22542200x800000000000000067779Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:04.912{43EB4363-5951-60F5-F50C-00000000E501}8180autodiscover.attackrange.local9003-C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x800000000000000067778Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:03.887{43EB4363-5951-60F5-F50C-00000000E501}8180outlook.office.com0type: 5 substrate.office.com;type: 5 substrate.ms-acdc.office.com;type: 5 afd-k.office.com;type: 5 outlook-office-com.k-0002.k-msedge.net;type: 5 k-0002.k-msedge.net;::ffff:13.107.18.11;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x800000000000000067777Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.859{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-5953-60F5-F60C-00000000E501}4316C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cea|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067776Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.859{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-5953-60F5-F60C-00000000E501}4316C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067775Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.842{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286620C4B2C351753F5E4492A4288E32,SHA256=7957A3570C5E94A026C092F4DCC4C3A8635843055A0F70E5E5B6D1E04D228F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030106Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:06.566{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DE07AF038901DCA3251E3508216ADB,SHA256=813F0A38BDFC7AC6D5C6D2EBFFAA6B2F93564CA6DF7501AE9ABEB937FB1FEB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067774Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.779{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B9CD9FE7592B1D902D9F9F14BAD036CB,SHA256=B8DCB5523FB7DB64547B69BF2E026BC897FBF25756466E8A66E504A321DCAD03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067773Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.541{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=C718AAB7E9E6E475637EAAAEA98890C7,SHA256=E7B1B1A19CBB309D22D99D1F75E0D36A044329F3C2C4109FC707D1E58AE5E7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067772Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.479{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=50E8F942DAD971F25B856B9175A37045,SHA256=2FD5A27DDE1C5CA4655C05CF8BFC90FADF23209087AAE69AC28B69760D5CF937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067771Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.426{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6C79E0148A900E3E4ED05527E1E31173,SHA256=5D8B4EC8B5F71E150CCEAF5081C3E0D975D65895D5F41FFAF06B0DEE6C0978B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067770Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.310{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=22FBC607A9ABA72DD6AF87207C42C19F,SHA256=9A4DB76E4176DF6CD9BF017E587A24F3458F6DA8921DC3EAA22DA073CEF7A717,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067769Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:06.026{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7D5700CD11DC890BA3CAF08E90D40B24,SHA256=68199EDD4B1031EA889A587FB65719A253A68EB78B5EB108AB67F77346C90DB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030107Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:07.800{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6856531B4FF7666179B1ECE7CA83D22,SHA256=15622FF5B2F336DEC208D00A3B4A7594C7C5807D2F63AFEB98180AE735C1976B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067793Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:07.852{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7D26B93DF68EEC8C4AD2B1F13047271,SHA256=E74EE6A2AAD2BA5A089773517783BEE95701BEF052DE326847B54B4FE24006D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067792Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:07.752{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=240433AF449531C97AB1A5BA59A8EC45,SHA256=21C31242AC1872D9328769148C683C91DD2356D32DAF04EFC1448FF914663E2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067791Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:07.027{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=EF0EE6137A5F4D411D42F44C4F6DE6BF,SHA256=0FCD36DDD2A8165568E2C2E2844A39414011BC6D386BFC0ED396EDCABCEFA503,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067790Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:07.012{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067789Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:07.012{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067788Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:07.012{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067787Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:07.012{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067786Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:07.012{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000067785Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:07.012{43EB4363-55C4-60F5-7E08-00000000E501}2288388C:\Windows\system32\sihost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067803Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:08.853{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45FBFE1E17205E84F3063092589EF129,SHA256=DED26B285DBDA0A0D621E47E2B31B3C61654D39D34F8E4AFE0611EBFDA0566E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067802Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:08.817{43EB4363-5951-60F5-F50C-00000000E501}8180ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-journalMD5=5AE197C4A921B5F60DBD9B0D9D5E0540,SHA256=50DC0D1BC5547479E3E2D061AB771946F76D0CFCC0F2F5273535812E4010D3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067801Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:08.800{43EB4363-5951-60F5-F50C-00000000E501}8180ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-journalMD5=7FA379E97CA56D61314D478600BA0BA1,SHA256=720B0AF7BB2DB80FABE0643F123DCB2376B102FEE028CD0D808A2AE04F999C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067800Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:08.384{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9E555EB0BDF6C7CE60698ED8CD30803D,SHA256=21F56D5B0CD55152B0C2B04DA6AF512AAB4ED69685709DFF5528542FDAC93DC6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000067799Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:52:08.384{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\LastKnownC2RProductReleaseId\PublisherO365ProPlusRetail 13241300x800000000000000067798Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localInvDB-PubSetValue2021-07-19 10:52:08.384{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\16.0\Common\Licensing\CurrentSkuIdAggregationForApp\Publisher{3AD61E22-E4FE-497F-BDB1-3E51BD872173}, 23542300x800000000000000067797Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:08.353{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=22B02EDF4195C296BB80BDD5CF10A34A,SHA256=59C709F1AEB0EE1F944F4B3EBF9C6BA24F19EE864CC80ED10211C91EFAA82E49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067796Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:08.100{43EB4363-55C5-60F5-8808-00000000E501}46324200C:\Windows\Explorer.EXE{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000067795Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:05.654{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local58233- 354300x800000000000000067794Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:05.048{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067807Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:09.868{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630A992044C65BDEC547A9EC0109DA04,SHA256=6BFB0E8AA954C41F9361E9798CAACA44405C3CF5C941B01DA892353C5E4C01DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030108Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:09.035{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C16947D9E727801AD6FA72CF5CB27E,SHA256=854F0DC081EEE757E1344FD4D2EF66D828DFF07563358927D9DBDA6B6FAF5B9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067806Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:08.132{43EB4363-37A7-60F5-1300-00000000E501}676C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 10341000x800000000000000067805Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:09.668{43EB4363-55C5-60F5-8808-00000000E501}46324200C:\Windows\Explorer.EXE{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067804Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:09.553{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\extensions.jsonMD5=743BB23631DC68D55978141E327914A0,SHA256=68AEA094611A5083A81642D26DC7E46D8BCFEE67E111C07C2DABFB559CB6887A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067809Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:10.882{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18577EDEE7175BB7FD4831A93170308B,SHA256=F3DED00834A8D3F69611ABB1D69F967E3E1A89B280C9E5C5AF35B3E920828A22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030109Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:10.269{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9879633288CD631C562C0797C0D2173,SHA256=0B2D3E4CF66B328075F8A8F9780A32304E0BF8BC44E80A7499F3F38B0CAA4446,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067808Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:10.037{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067824Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.920{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540FD5A956291A1752E2353BC908EBC4,SHA256=D405FA30234207E6094C2F212CAF0973FD991728FAF4D1849DA3D64E8469FDE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067823Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:10.132{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030111Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:11.488{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47185BC99EF771CCD7D119887D47C69A,SHA256=4A61C1D253085CBFC123B3A7BAD06193F07BF6ABE02250CCA31D618F11856A8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067822Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.867{43EB4363-5951-60F5-F50C-00000000E501}8180ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Templates\~$Normal.dotmMD5=DD5070CB5F5DEE1743B97766A9CC7719,SHA256=E5F17F0997FDFF003B87EC9E74C88D1D030D4CC2FCF4EF26C90BC72B8AE120E9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067821Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067820Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067819Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000067818Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067817Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067816Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067815Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000067814Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067813Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+139d2e|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067812Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+139d1c|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000067811Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.751{43EB4363-5951-60F5-F50C-00000000E501}81806656C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+139d1c|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000067810Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.735{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\Templates.LNK2021-07-19 10:52:11.735 354300x800000000000000030110Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:09.102{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067829Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:12.950{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79D564DC74323C257F673DB9F33093D,SHA256=27281738D2F423B793FC3C33D52C44B9DD9081E06309DDCCF2AFF4A9566BA71A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067828Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.514{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-876.attackrange.local65243-false10.0.1.14win-dc-876.attackrange.local3268msft-gc 354300x800000000000000067827Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.514{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65243-false10.0.1.14win-dc-876.attackrange.local3268msft-gc 23542300x800000000000000030112Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:12.519{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CBCD517B7A6FBB01B24D4E5240011E7,SHA256=1574DC7E9E79BF0B8CBF5576257AE1876B000C696B6CEFF97B329F78B2A46E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067826Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:12.718{43EB4363-5951-60F5-F50C-00000000E501}8180ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-walMD5=B3A63A0F7C4911CEBFC19DECC7D588E6,SHA256=DFE15789F49BDC37EFB3AAC5EB6727C83FC4EBEEF59C63E5B95DA8B944842576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067825Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:12.716{43EB4363-5951-60F5-F50C-00000000E501}8180ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Office\OTele\winword.exe.db-shmMD5=38657AEDC87550B0C62766858A3D81C4,SHA256=910F730C7BEA837650A9424FDFBDF3C9CE5FDE932E6443ABEE98C8BB154A8EDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067832Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.887{43EB4363-5951-60F5-F50C-00000000E501}8180C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65244-false52.114.77.164-443https 354300x800000000000000067831Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:11.849{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local64109- 23542300x800000000000000067830Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:13.965{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CB88E590699FEF5173860FA737B795,SHA256=13BE2518DC8F3627DA7B17CDD82B22B692655ABCAC00C2A9AD0D2B02CC2D993A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030113Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:13.597{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83340AE2ADB1773D752EFA41C2FD42AD,SHA256=3917A2B920F10E5B7C3E67D5781416A3501CD8C45ED7B16B78EF7EEB5ECCA59F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067833Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:14.974{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B91E4C027D70B10F4209664F97F3E18,SHA256=4A1AFB2D1B4FFFAFDECF7692CAA096B767D8F1C02329AA5A36DB404BDD327725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030114Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:14.644{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BC51B9DF44B419B609FC61DE34D30CD,SHA256=5E4489D752F41173BB7F86B6EFBE21E0714C9D4BB28DD66901EB59FF924DB1E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030115Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:15.691{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D7DD1072CD8488D3B259386BD0F986,SHA256=86B02F27B2A1826E956467B927FA4EAE5FC4EE4A8E45FF5C0B2128C33B51B22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030117Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:16.894{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600C0AAFA00EE5FA4C213E3E262D124D,SHA256=3DEB93F5A32B62A1C8D9C12434C876697E6E5F36B524C1D317CF8598804B7332,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030116Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:15.039{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067869Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.975{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1846A29E0E249E34E0AE624D0E1D7599,SHA256=7C30D87E81A35F6A6F248BC3544FA6FE666D88D7ACECCBD8754A94DAE795F4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067868Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.838{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1846A29E0E249E34E0AE624D0E1D7599,SHA256=7C30D87E81A35F6A6F248BC3544FA6FE666D88D7ACECCBD8754A94DAE795F4B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067867Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.838{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=428A0FFE8D823EAF78D421C2ADE48186,SHA256=85C07FE463E5442AC0EEA1D7C77F2D96392E651E82FA62EA19B3C801F501E4C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067866Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.791{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067865Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.791{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067864Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.791{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067863Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.775{43EB4363-55C4-60F5-8108-00000000E501}36921008C:\Windows\system32\taskhostw.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067862Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.775{43EB4363-55C4-60F5-8108-00000000E501}36921008C:\Windows\system32\taskhostw.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067861Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.707{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067860Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.707{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067859Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.707{43EB4363-37A5-60F5-0B00-00000000E501}624664C:\Windows\system32\lsass.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067858Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.675{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067857Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.675{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067856Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.675{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067855Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.675{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067854Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.654{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067853Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.654{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067852Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.654{43EB4363-37A7-60F5-1600-00000000E501}12723148C:\Windows\system32\svchost.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067851Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.654{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067850Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.591{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4c224|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+4dd30|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+584fe|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+57f5f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+56e48|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067849Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.575{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1438C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+73c87|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+7522e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+14519|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a430|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x800000000000000067848Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.575{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+2d73e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+16070|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+15184|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+17233|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+1a40c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+84d6|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll+638e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3b280|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+3af5e|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1015b|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll+1a277|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+2185f|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+ae38|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+a8fb|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac 11241100x800000000000000067847Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.575{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-07-19 10:52:16.575 10341000x800000000000000067846Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.554{43EB4363-564B-60F5-C908-00000000E501}65766912C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+976c|C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll+9264|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000067845Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.554{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\latest_trickbot_spear.doc.lnk2021-07-19 10:52:16.554 10341000x800000000000000067844Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.491{43EB4363-37A7-60F5-1000-00000000E501}368364C:\Windows\System32\svchost.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067843Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.491{43EB4363-37A7-60F5-1000-00000000E501}368364C:\Windows\System32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067842Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.491{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067841Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.491{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067840Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.491{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067839Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.491{43EB4363-37A6-60F5-0C00-00000000E501}8281116C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067838Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.491{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067837Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.491{43EB4363-55C5-60F5-8808-00000000E501}46325032C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+18cf2c|C:\Windows\System32\SHELL32.dll+18cc83|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067836Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.496{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE16.0.13127.21668Microsoft WordMicrosoft OfficeMicrosoft CorporationWinWord.exe"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Temp\latest_trickbot_spear.doc" /o ""C:\Temp\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=1E202F32969E42DE1E80CA9B091E32FB,SHA256=0A395756F676210C91DC8F91E9F39F4CB65B6F4D35E80DDDE6F27D2E8B8636C8,IMPHASH=21DECB0B7EE3F890B1FF9B6C42996CAE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x800000000000000067835Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:13.798{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53327- 23542300x800000000000000067834Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.023{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2274513894ADB071854551927A9BA1,SHA256=F52C5C218E28F9AA2913EB5F01D4BAFEF5C9FCC5E9B861336E2B0796920A0968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030118Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:17.925{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08EF6729C15552257510B2BC03E2CBA5,SHA256=E2341E39562481A723521F608228CE68DE39AE856256E8F433AB4F135A127EA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067907Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.738{43EB4363-5960-60F5-F80C-00000000E501}3668328C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C4-60F5-7C08-00000000E501}3780C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b74a3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b7443|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b73b6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b6d5d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll+22348f|C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll+21eda2|C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll+221bc0|C:\Program Files\Common Files\Microsoft Shared\Office16\mso40uiwin32client.dll+21e752|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+1ba91c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+1ba805|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+a7013a|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+a7582d|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+a6fe94|C:\Program Files\Common Files\Microsoft Shared\Office16\mso98win32client.dll+9f44f6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+14f593|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+3b0d7|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1f2072|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1143 10341000x800000000000000067906Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.638{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000067905Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.622{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x800000000000000067904Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.507{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1E904E38D3E23E871A3500C3ED342C1,SHA256=A63CC7CBAD00F887E6EAADD60298F110E66A2E0DC90019953F0736D6AA059B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067903Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.507{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BAC9B907DD38EE8879F7A914E9AF5B05,SHA256=BC2DAB672404537ADB8F52263DA9FB6E50DE0DA698A8785B99490FE6EE434511,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067902Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.453{43EB4363-55C5-60F5-8808-00000000E501}46324200C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067901Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.437{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067900Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.437{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067899Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.191{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14DCD45644BE3EBE7F46ABEBF05D155A,SHA256=B1EBE464DEC34A2BB4B4F223F9804B86E134CE7D6C0893210150E79E5BA8489B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067898Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067897Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067896Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000067895Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067894Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067893Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067892Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000067891Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c4c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000067890Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\latest_trickbot_spear.doc.LNK2021-07-19 10:52:17.153 23542300x800000000000000067889Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}3668ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\latest_trickbot_spear.doc.LNKMD5=495B6FE05C7EC0B16FCC2C1AF12A31E1,SHA256=EEEE9D87D9DEF7F7E415A6D4D6143B6CB3A14A2B982B8E915E763DC729DE1E84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067888Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067887Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067886Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000067885Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc092|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067884Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067883Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067882Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000067881Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067880Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+139d2e|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067879Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+139d1c|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x800000000000000067878Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}36681300C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+139d1c|C:\Windows\System32\windows.storage.dll+9445c|C:\Windows\System32\windows.storage.dll+94238|C:\Windows\System32\windows.storage.dll+3dc080|C:\Windows\System32\windows.storage.dll+3d974b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+174760|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173dba|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+173c25|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+1760f1|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000067877Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.153{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Office\Recent\latest_trickbot_spear.doc.LNK2021-07-19 10:52:17.153 10341000x800000000000000067876Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.137{43EB4363-55C5-60F5-8808-00000000E501}46325252C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\windows.storage.dll+3c72be|C:\Windows\System32\windows.storage.dll+3c92ae|C:\Windows\System32\windows.storage.dll+152f13|C:\Windows\System32\windows.storage.dll+154519|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067875Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.137{43EB4363-55C5-60F5-8808-00000000E501}46325252C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca41e|C:\Windows\System32\windows.storage.dll+3c60ef|C:\Windows\System32\windows.storage.dll+3c7230|C:\Windows\System32\windows.storage.dll+3c92ae|C:\Windows\System32\windows.storage.dll+152f13|C:\Windows\System32\windows.storage.dll+154519|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067874Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.137{43EB4363-5960-60F5-F80C-00000000E501}36685976C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c7988|C:\Windows\System32\windows.storage.dll+3cbf7f|C:\Windows\System32\windows.storage.dll+3cc4d8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175bf4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175ad9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067873Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.137{43EB4363-5960-60F5-F80C-00000000E501}36685976C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c796c|C:\Windows\System32\windows.storage.dll+3cbf7f|C:\Windows\System32\windows.storage.dll+3cc4d8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175bf4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175ad9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067872Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.137{43EB4363-5960-60F5-F80C-00000000E501}36685976C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c796c|C:\Windows\System32\windows.storage.dll+3cbf7f|C:\Windows\System32\windows.storage.dll+3cc4d8|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175bf4|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+175ad9|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+8df2c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+12fccd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b884c|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b866b|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+b68de|C:\Program Files\Common Files\Microsoft Shared\Office16\mso20win32client.dll+cc818|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067871Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.053{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8855E8C0909E7545F545EDC3ED74AEED,SHA256=2DA7FACB7AD2876232550D5159762E35B0E3AE0890B7739C200EB96AFB155F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067870Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.006{43EB4363-5960-60F5-F80C-00000000E501}3668ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8A580094.pngMD5=8F21C647D253A3CE991C371D19437151,SHA256=7E7864C1563D7D1EDFE3FBDD2F9524F30EFC716716E84F25A1691DF7F628206F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067911Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.564{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-876.attackrange.local65246-false10.0.1.14win-dc-876.attackrange.local3268msft-gc 354300x800000000000000067910Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.564{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65246-false10.0.1.14win-dc-876.attackrange.local3268msft-gc 354300x800000000000000067909Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:16.040{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067908Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:18.075{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB6479A56FC0D5EE96BC246B7A5F350,SHA256=D3B46B2D7AAC94E6BAB21BBAD2864AC18148F47DEE785CA0F40F5A5CDEFBA757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030119Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:19.144{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C613849790C4B716D0FE19A5EFDA90DD,SHA256=A68FE7C61B1E4E458BB5E62A476AB461EA89AA113D11C06FDE1CD9C7AE98BF66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067919Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:19.805{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=32BADBAA6749D97AB30A1EE52EF196EA,SHA256=D69593C280F1003D41B2735E6009366CC79A55741DF7A1B816E77C88F4EA5BEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067918Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:19.720{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=43F53178F5FBE35E59FD535DB058E122,SHA256=56EE5F84BB8F7C6FFC76AF4B3518034748DA7CF5FEAD4BA1C2201332A71FFF18,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000067917Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.570{43EB4363-5960-60F5-F80C-00000000E501}3668win-dc-876.attackrange.local0fe80::f105:4095:771:5c2f;::ffff:10.0.1.14;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 10341000x800000000000000067916Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:19.636{43EB4363-5960-60F5-F80C-00000000E501}3668328C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C4-60F5-7C08-00000000E501}3780C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b74a3|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b7443|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b73b6|C:\Program Files\Common Files\Microsoft Shared\Office16\mso.dll+b6d5d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+3b0d7|C:\Program Files\Microsoft Office\Root\Office16\wwlib.dll+1f2072|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1143|C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE+1492|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067915Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:19.622{43EB4363-55C5-60F5-8808-00000000E501}46324200C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000067914Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.568{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65247-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000067913Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.568{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65247-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 23542300x800000000000000067912Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:19.089{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFC8A1F99665C4F027A1EB77CB7DFCD,SHA256=ADCBDCED539D688EDD7A91EE37B8552A3E9E240CCEC05905F4E64C45C5E66AB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030121Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:20.550{53AF6CEB-39BE-60F5-0B00-00000000E601}6201092C:\Windows\system32\lsass.exe{53AF6CEB-39BB-60F5-0100-00000000E601}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x800000000000000030120Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:20.378{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FBD5F6ADD6AD30ECA7EFA3FBCBCA97,SHA256=020F70EE145DF096B4640406DA6B88C554FD23B4A2935A2709F21CE4664607A6,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000067923Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:18.625{43EB4363-5960-60F5-F80C-00000000E501}3668autodiscover.attackrange.local9003-C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 22542200x800000000000000067922Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.591{43EB4363-5960-60F5-F80C-00000000E501}3668attackrange.local0::ffff:10.0.1.14;C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 354300x800000000000000067921Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:17.570{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratorudptruefalse127.0.0.1-53328-false127.0.0.1-53328- 23542300x800000000000000067920Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:20.090{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=895C0B54D75119646D3D6EC12172926B,SHA256=D53BBBCD3B9AE2D46C5583B56890DED9A1B7BEB3EA5E6247D0772FBA185994F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030125Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:20.117{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030124Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:21.519{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030123Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:21.394{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1156D23E8B8128F69951304E9D5C81,SHA256=56A63C3FC2FDEABE01B86FFB6E85BF0B55C6A0D779D19E31284B63EBF3AECA20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067925Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:21.558{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1E904E38D3E23E871A3500C3ED342C1,SHA256=A63CC7CBAD00F887E6EAADD60298F110E66A2E0DC90019953F0736D6AA059B6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067924Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:21.090{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBCA9010FC9B9C1E5A3D300FF54BDFFB,SHA256=0606B3BE68448A5DBE39A525F099CDA0D6ABEDAB6F090A914194153F0B35F432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030122Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:21.003{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AEB6EA58B6C205ABD9612EFEFCA8A9D3,SHA256=04F3AC5D5E849C4F15F0F446C3E51E2D3140B2E8F90AC5246A35A82EAC18F1F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030127Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:20.435{53AF6CEB-39BB-60F5-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51339-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 23542300x800000000000000030126Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:22.395{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01F43D631A6530A6ACD4AC846F64B792,SHA256=CAE7D260CD069249DE11FE4124ECF744AE52B2FB570D1BF22944A7AE63C79E8C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067927Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:20.488{43EB4363-37A2-60F5-0100-00000000E501}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51339-false10.0.1.14win-dc-876.attackrange.local445microsoft-ds 23542300x800000000000000067926Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:22.105{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67528B2317710927300A7A2BE16E5385,SHA256=1F41D7C6E9B6ABE582A1D83A7F1D1849E3C79E2C177C84FA3344022BE2EC4C69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030131Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:23.520{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD487553560A8ABC0D35AC8DBAAC9B55,SHA256=83627CED5ECBDBFBBFD1DE1B46F563689A61C9FEA27EC75C66E06BBE45D46F5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067929Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:21.107{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65249-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067928Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:23.109{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4257CDEA04E5D24B7108AC9427ED7557,SHA256=D2F5306DCB0A83664193B02F904227C7A5996703C859355BD27471AE7D951EE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030130Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:22.292{53AF6CEB-39C1-60F5-3400-00000000E601}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51342-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000030129Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:22.291{53AF6CEB-39C1-60F5-3400-00000000E601}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51341-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000030128Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:21.383{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000030134Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:24.645{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=186E2E8C92928FB18DE17CA5D370D477,SHA256=059CA570E65D3297D0CB2392B6C2F78DBBED852FF4DDFB99EEB18231A6544C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067931Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:24.757{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=34B4F3730460DA32B79F49F0160E2790,SHA256=2350662C86A70F63EE04BB590ABDCF0403AC1F59FE11F22BED5616FBECE6D991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067930Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:24.143{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AF28EC43E30F1595C6A2C6ACAD39C0,SHA256=06B0CCEDFE8BEFF107B3305C306613D9520A5891B1ED0014499FD48053921C8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030133Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:22.444{53AF6CEB-39C1-60F5-3400-00000000E601}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51344-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x800000000000000030132Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:22.332{53AF6CEB-39C1-60F5-3400-00000000E601}2984C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51343-false169.254.169.254instance-data.eu-central-1.compute.internal80http 23542300x800000000000000030135Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:25.645{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B83F7AC0AFF466E5C355EE1798B1830,SHA256=665B80589E7F702BC5BC9048A2A2AF49B48FE726104A2FD5B4517543C0FB2C3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067932Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:25.157{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDC95F9F5149AD407C7686C884FF3EA,SHA256=E5159F26DFFB516707893B2F961FCB6B9FC41C92CA69E2F8F89EB43B6884DAB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030137Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:26.676{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83420CF231976945F0ECD04D1A7F955B,SHA256=B42B22BC7351FF0BB18F547F2599DA5C1AB79692C5A39354987DB0731B98D7C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067943Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.957{43EB4363-5960-60F5-F80C-00000000E501}36682688C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000067942Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.957{43EB4363-5960-60F5-F80C-00000000E501}36682688C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000067941Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.957{43EB4363-5960-60F5-F80C-00000000E501}36682688C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x800000000000000067940Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.957{43EB4363-5960-60F5-F80C-00000000E501}36682688C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x800000000000000067939Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.957{43EB4363-5960-60F5-F80C-00000000E501}3668ATTACKRANGE\AdministratorC:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF83fb89.TMPMD5=4FCB2A3EE025E4A10D21E1B154873FE2,SHA256=90BF6BAA6F968A285F88620FBF91E1F5AA3E66E2BAD50FD16F37913280AD8228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067938Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.926{43EB4363-5960-60F5-F80C-00000000E501}36682688C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94bd7|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000067937Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.926{43EB4363-5960-60F5-F80C-00000000E501}36682688C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+94b42|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000067936Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.926{43EB4363-5960-60F5-F80C-00000000E501}36682688C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x800000000000000067935Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.926{43EB4363-5960-60F5-F80C-00000000E501}36682688C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+94b27|C:\Windows\System32\windows.storage.dll+94503|C:\Windows\System32\windows.storage.dll+94389|C:\Windows\System32\windows.storage.dll+bc95|C:\Windows\System32\windows.storage.dll+bbdd|C:\Windows\System32\windows.storage.dll+a126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x800000000000000067934Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.208{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1337C61FECC86B235C5B0B96FE6E7FD,SHA256=E02BC00C4473FCB40170239280C7E1FF2A07DEBDD702F73D5B1C5DCFD3BF4E2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030136Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:25.118{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067933Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.158{43EB4363-5953-60F5-F60C-00000000E501}4316NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\tokens.dat.bakMD5=E5DC5EB3A08AD099D37700C1F0A95557,SHA256=57B1B22485C31E3D138CC6E3D1FA43344A588CDC4CD9A9A78A97F8FCB97FC5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030138Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:27.910{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25763664EFFF72645057FCD92FF19DAF,SHA256=73A4EEE7A4D7B729CF8491DA3AE8538B5DBF623A03FFFA4F5F87CC0DEE961069,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067947Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:27.805{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000067946Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:27.805{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067945Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:27.805{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF83fec5.TMPMD5=94EEA79D9A0975F30553974C8581CE7A,SHA256=AFE916DCF97485612B2C6F9FD400B0B135E5F27E2BC7595DBB1C6A60195E967C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067944Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:27.226{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21E7576216D6F9287D7E8EAD984BF138,SHA256=0E2779032B5C7B7565639684C3D47CC47262914980896A6D5F9787126BD35CC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067951Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.959{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000067950Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.843{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65251-false52.114.77.164-443https 354300x800000000000000067949Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:26.815{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65250-false104.101.101.4a104-101-101-4.deploy.static.akamaitechnologies.com443https 23542300x800000000000000067948Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:28.240{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB1F4C66781F03A0C083B2D407EE8D27,SHA256=AA910D46E3305F374DC2A75AD134255A940C6A29852A1C6CC8FD5FE3BD29AD74,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067953Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:27.046{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXEATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-876.attackrange.local65253-false104.101.101.4a104-101-101-4.deploy.static.akamaitechnologies.com443https 23542300x800000000000000067952Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:29.255{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2C16E94581047AFB30E8A6BDD695141,SHA256=5403D9E5AFAEDB3755D490235546E48CF37BCF0F4C523D1E55912ECB60D4845E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030139Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:29.145{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D2FAAA5BC5FE35966BEFF74E620CD6,SHA256=36B09763965A98435D01728D6C410B4066B839551BA13D1FB099D4C9334FFD8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067954Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:30.270{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E93C383444A0218CD85E5FEF04B093,SHA256=DE09030708AABE18E4A02FD40B4429928BCAA980C58DCD7E6801756855FB5AE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030140Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:30.379{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAC82C2C80A474D9B5E1760CFFBDA466,SHA256=DE38AA50C6906B03BE9E5D63F6D85A01B9C41F772AA16C526A5E0B9129289EEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030141Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:31.520{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4941C3BE1476AB72C9FD53700C0B901,SHA256=3D60CCF4248DE62F046D1276EC69CAACE5366652063B7D22DBA1CC0ACCD862AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067955Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:31.303{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E30D55981109F4A2553FFFE398717D,SHA256=B48D936E2681D741BD8E5D48C115EA9CE646D56839974655249EC3F64624FF30,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030143Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:31.008{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030142Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:32.754{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3017307608BAB5A95150EE2F03D9CC0E,SHA256=09D32262BB7AAE32EAD743E82DA3621983CC173AB3478301B02C77AE961C21F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067958Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:32.553{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D559840F255EDE591EEA2B05180E5C4E,SHA256=199659D2760D2C724E9661BAD7EEBB42AC2599EC0BDCEAB08007F63357CAE023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067957Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:32.553{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D35506F32AFF718316E1AE93B3A5E8A3,SHA256=40EA5EC58D3CF55343DBAC99E59F3A4BE7AA5A269F7D2F881BBCCF5521BA4A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067956Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:32.337{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2FCFFF9BF7A67B03AB74BB279781D7,SHA256=D1919A182AE78635968DF0785D8215A0A9D01428E1B6F0DF011E3AEFD221BF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030144Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:33.989{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09366C6942D98CCFE68363EF816BF087,SHA256=C6462AB8C88374D4035B6F222052BD2B977760AE8DE7A50BC0191753BA73228F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000067996Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:32.070{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000067995Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.410{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24234D69D932DC781CD6C3190BF776D0,SHA256=421DD067CA32E0E9BD78F3E76007AEDF8A2032F7707101F87518DB410EC79EEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000067994Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.410{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067993Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.410{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067992Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.410{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067991Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.410{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067990Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.356{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067989Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.356{43EB4363-5971-60F5-F90C-00000000E501}63647520C:\Windows\SYSTEM32\cmd.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000067988Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.361{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe11.00.14393.2007 (rs1_release.171231-1800)Microsoft (R) HTML Application hostInternet ExplorerMicrosoft CorporationMSHTA.EXE"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\boxDelInd.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} C:\Temp\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=A65AE0DB1DAA6B07C89DCC1E21D3EB42,SHA256=5B6429B98ADF532E6F694C9A6CD1A1943B4AA3D5EA524D4FB353939FD9C61342,IMPHASH=79925B1930721457F5E11BF877806843{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\System32\cmd.execmd /c c:\programdata\boxDelInd.hta 10341000x800000000000000067987Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.356{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067986Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.356{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067985Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.309{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067984Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.308{43EB4363-37A7-60F5-1600-00000000E501}12723472C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067983Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.308{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067982Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.225{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067981Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.225{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067980Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.225{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067979Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.225{43EB4363-55C5-60F5-8808-00000000E501}46324200C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067978Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.225{43EB4363-55C5-60F5-8808-00000000E501}46324200C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067977Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.225{43EB4363-55C5-60F5-8808-00000000E501}46324200C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067976Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.209{43EB4363-55C5-60F5-8808-00000000E501}46324200C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067975Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.209{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067974Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.209{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067973Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.209{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067972Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.209{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067971Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.184{43EB4363-37A7-60F5-1600-00000000E501}12723472C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067970Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.184{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067969Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.168{43EB4363-5971-60F5-FA0C-00000000E501}64127808C:\Windows\system32\conhost.exe{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067968Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.152{43EB4363-55C1-60F5-7208-00000000E501}45563352C:\Windows\system32\csrss.exe{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x800000000000000067967Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.localContext,ProtectedModeExitOrMacrosUsedSetValue2021-07-19 10:52:33.138{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEHKU\S-1-5-21-4085236968-3260266398-3930693997-500\SOFTWARE\Microsoft\Office\16.0\Word\Security\Trusted Documents\TrustRecords\file:///C:/Temp/latest_trickbot_spear.docBinary Data 10341000x800000000000000067966Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.138{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067965Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.138{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067964Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.138{43EB4363-55C1-60F5-7208-00000000E501}45562812C:\Windows\system32\csrss.exe{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000067963Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.138{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067962Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.138{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000067961Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.138{43EB4363-5960-60F5-F80C-00000000E501}3668328C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+43ae7|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+4358a|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+44642|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3c560|C:\Program Files\Microsoft Office\Root\Office16\AppVIsvSubsystems64.dll+3d357|C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL+100e92|UNKNOWN(0000020B66C513D2) 154100x800000000000000067960Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.133{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Execmd /c c:\programdata\boxDelInd.htaC:\Temp\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Temp\latest_trickbot_spear.doc" /o "" 11241100x800000000000000067959Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:33.121{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXEC:\ProgramData\boxDelInd.hta2021-07-19 10:52:33.121 10341000x800000000000000068003Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:34.856{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068002Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:34.856{43EB4363-37A5-60F5-0B00-00000000E501}6244604C:\Windows\system32\lsass.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068001Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:34.788{43EB4363-37A7-60F5-1600-00000000E501}12723472C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068000Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:34.788{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000067999Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:34.372{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DDB8D4F445E033373B27C7760BD974E,SHA256=9A76DF1690DFF03F8A11E41E649CD4EB841A7C6710B758ED37EC10BCE97CB3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067998Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:34.210{43EB4363-5953-60F5-F60C-00000000E501}4316NT AUTHORITY\NETWORK SERVICEC:\Windows\system32\sppsvc.exeC:\Windows\System32\spp\store\2.0\cache\cache.datMD5=0FAE9DBE825B0885B4FFE89A40167470,SHA256=1FEBDEA363697FB85D71503759DC19B3A2528A25309678D34432347BA8A637A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000067997Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:34.126{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D559840F255EDE591EEA2B05180E5C4E,SHA256=199659D2760D2C724E9661BAD7EEBB42AC2599EC0BDCEAB08007F63357CAE023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030145Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:35.004{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E991A1E5945B023E80D3D306D7D735A,SHA256=A43FF4C5704D736A0DFBFBC6441370527AB995588932C2F36497640437DEA57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068011Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:35.389{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE515B7B363A910326FB36C9190BBA61,SHA256=9306EEDCDCAF41329D8F2CB6CE9EAE873AFA3303CB5DE1C71E6DA3D3BF59EA8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068010Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:35.127{43EB4363-55C4-60F5-8108-00000000E501}36921008C:\Windows\system32\taskhostw.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068009Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:35.126{43EB4363-55C4-60F5-8108-00000000E501}36921008C:\Windows\system32\taskhostw.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068008Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:35.125{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068007Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:35.124{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068006Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:35.124{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068005Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:35.124{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068004Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:35.119{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030146Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:36.238{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4837B0A0C27AA7DB8226599DBC270675,SHA256=77B6D0B3CF2BDF30807462C1B57D3938A655AE2103469ABBFDB43388FEE8DC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068016Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:36.391{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=622750CA67960C12CE9D6DFBABC7708C,SHA256=BAC24563E9CF834DA0E047A016B13DCC0973095F63FAD750DCAB9CB37502E640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068015Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:36.344{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1600-00000000E501}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068014Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:36.107{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068013Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:36.107{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068012Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:36.107{43EB4363-37A7-60F5-1200-00000000E501}3561592C:\Windows\system32\svchost.exe{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030147Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:37.330{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=338C53CC3F29F8825105032BE8955E3A,SHA256=2F0479DB52831AC2F58D393A01322F64DB0FEF6461B8154F7B7F5D70E6E3F57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068017Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:37.402{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94264B1B791881FB9A238270018624D6,SHA256=6114B9ECDCD166F848F9351BB2008865AC1EDFE08228D8B8FA2C40EC42A2BE51,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030149Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:36.943{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030148Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:38.551{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6E1BBD232EFCBEF59D510DF3F81FF8,SHA256=17706EA80B2A0702D48AF8AC5360C0D8CD221FC21C6DF145BB92AFAD4CD0C294,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068019Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:36.888{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local57192- 23542300x800000000000000068018Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:38.436{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6FDA94CE809CB898CF427DFF085537,SHA256=5204E970F3522E5E14D47CE91C86FEE1BF6E2D01D41AF26A2F8931BB2B284697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030150Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:39.785{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55624C4B9AC20C8E2C3CCAC5A792187,SHA256=ED03C5467B4C30F4626BBE5BEB0C46D4058E48A5CB24F29D2259DE4BD1A7701B,IMPHASH=00000000000000000000000000000000falsetrue 22542200x800000000000000068024Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:38.794{43EB4363-5971-60F5-FB0C-00000000E501}7304airloweryd.com0::ffff:45.153.230.151;C:\Windows\SysWOW64\mshta.exe 23542300x800000000000000068023Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:39.951{43EB4363-5971-60F5-FB0C-00000000E501}7304ATTACKRANGE\AdministratorC:\Windows\SysWOW64\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\DLQUJEVB\error[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068022Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:37.154{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65255-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000068021Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:36.907{43EB4363-37B7-60F5-2900-00000000E501}2868C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57192- 23542300x800000000000000068020Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:39.467{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50FB6D132545190D711775F806878FAC,SHA256=CDD8A701C7B9CE07D554D848DAA4EB9DB9FFBEEB3DDFD7070BDCC104F70C6538,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030151Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:40.832{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BB244EB41C1754065B15EF9B89A9124,SHA256=865A3F984A7AC105A908F0C53BDF58D6FE5640254BFB2A8941D528EF8BB037B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068027Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:40.502{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B152F254FA72935121D9431014D09948,SHA256=97D1DF34850A8380902DF1D556FB4F775CE561E9E35D8C5620C8FDE255F9D6B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068026Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:40.003{43EB4363-5971-60F5-FB0C-00000000E501}7304ATTACKRANGE\AdministratorC:\Windows\SysWOW64\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\U1MWMKJN\warning[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068025Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:39.999{43EB4363-5971-60F5-FB0C-00000000E501}7304ATTACKRANGE\AdministratorC:\Windows\SysWOW64\mshta.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\INetCache\IE\LMKQ0A2C\error[1]MD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030152Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:41.848{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1678CD9DD16A73AC710C96D5045E0017,SHA256=6E80833BADC2EE95C872D5921EDFD1DF74EA6B98034CE3A8C54CF235FE3B7B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068030Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:41.518{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CCDEDCE9108D11C680F9767CEFE02B,SHA256=F6CE1FD41119EFF0CEDC3BDDF42E65443B0B018B5D1D0E93D577AE09F8E98078,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000068029Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:41.298{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\SiteSecurityServiceState.txt2021-07-19 10:42:41.286 23542300x800000000000000068028Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:41.298{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\SiteSecurityServiceState.txtMD5=04077BAAC3262ABA9539186A622C5986,SHA256=61C8AFF25C5C3866E97FE6887D7A7E5B0CFCC29F6EE0F26CD74DA5E6E68DBF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030153Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:42.862{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0640C2D37E87128842B24D0F2D197D76,SHA256=DC3BBBCF5CCF9E8A1FE6CCB5652524C91573FFFB9CB522A1AF27E3A0856C24F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068031Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:42.549{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB1BD3A71D14BC32A4DB569F8774BC3,SHA256=6B2E293EC761A6CD07C7080E74FC05B48E05E74B3184A17128D82DFFE7BB09F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030155Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:43.909{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B665641C9734B54DD290D7ABBCDAA5,SHA256=A46CE31F65D40E979888E145F05C45215DDD2BAD8B06544EA43B2F9B20668D8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068082Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068081Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068080Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068079Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325600C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068078Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325600C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068077Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325600C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068076Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325600C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068075Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C4-60F5-8108-00000000E501}36921008C:\Windows\system32\taskhostw.exe{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068074Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C4-60F5-8108-00000000E501}36921008C:\Windows\system32\taskhostw.exe{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068073Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068072Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068071Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068070Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.879{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068069Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.848{43EB4363-37A7-60F5-1600-00000000E501}12723472C:\Windows\system32\svchost.exe{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068068Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.848{43EB4363-37A7-60F5-1600-00000000E501}12721320C:\Windows\system32\svchost.exe{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068067Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.832{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068066Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.817{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068065Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.817{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068064Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.799{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068063Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.799{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068062Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.799{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068061Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068060Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068059Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068058Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068057Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068056Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068055Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068054Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325600C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068053Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325600C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068052Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325600C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068051Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325600C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068050Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068049Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068048Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068047Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.779{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068046Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.764{43EB4363-55C1-60F5-7208-00000000E501}45564356C:\Windows\system32\csrss.exe{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068045Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.748{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068044Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.748{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068043Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.748{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068042Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.748{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068041Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.748{43EB4363-5971-60F5-FB0C-00000000E501}73047816C:\Windows\SysWOW64\mshta.exe{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783d0|C:\Windows\SYSTEM32\ntdll.dll+77f9e|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9148(wow64)|C:\Windows\System32\KERNELBASE.dll+d7e2c(wow64)|C:\Windows\System32\windows.storage.dll+12425f(wow64)|C:\Windows\System32\windows.storage.dll+123f7f(wow64)|C:\Windows\System32\windows.storage.dll+123cc7(wow64)|C:\Windows\System32\windows.storage.dll+124cb5(wow64)|C:\Windows\System32\windows.storage.dll+123af1(wow64)|C:\Windows\System32\windows.storage.dll+125eba(wow64)|C:\Windows\System32\windows.storage.dll+1262b7(wow64)|C:\Windows\System32\windows.storage.dll+1258e5(wow64)|C:\Windows\System32\shell32.dll+18be74(wow64)|C:\Windows\System32\shell32.dll+18bd4e(wow64)|C:\Windows\System32\shell32.dll+1ad65a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000068040Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.760{43EB4363-597B-60F5-FC0C-00000000E501}4308C:\Windows\SysWOW64\regsvr32.exe10.0.14393.1378 (rs1_release.170620-2008)Microsoft(C) Register ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationREGSVR32.EXE"C:\Windows\System32\regsvr32.exe" c:\users\public\boxDelInd.jpgC:\Temp\ATTACKRANGE\Administrator{43EB4363-55C3-60F5-C0E5-4B0000000000}0x4be5c02HighMD5=56CF190F4143DC68800C4125D6001B07,SHA256=F72ED4D11C9971A9B7CE0A5681EE35968A6B4CCDC2F2B3A9F3E81418605FA467,IMPHASH=D053774A49BA83FF54C68888CB687C6C{43EB4363-5971-60F5-FB0C-00000000E501}7304C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\programdata\boxDelInd.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} 10341000x800000000000000068039Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.679{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068038Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.664{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068037Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.664{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5971-60F5-F90C-00000000E501}6364C:\Windows\SYSTEM32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068036Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.664{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068035Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.664{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068034Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.664{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068033Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.664{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5971-60F5-FA0C-00000000E501}6412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068032Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.564{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F205E452E3B0AF3BF7E44A0DD8D303F6,SHA256=BD3BEFC487E90CD45C7CF45D7010D12CA5573E636B597CDBDD5A593E9B6BE77B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030154Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:42.039{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000068083Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:43.050{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068087Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:45.847{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84BF75E7876F44BE8A0E435F6D7271ED,SHA256=51D1452A5B0CDD805F8E82344343ED393A155C860C5821F2E36F6D96FFB56C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030156Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:45.127{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E18E4D9E43DF6762CF9AEC7C5F024EF,SHA256=4EA0BD5CB2635B0D4F6C5729A90DAC9CE1CF7AC11464EC36CFF8611313747183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068086Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:45.079{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=098AABCD97CD44FCF7DD713ED8431016,SHA256=09656FB7024A2D08955EDE243BF6E08A2FC3106A82F93196875964432FAD1004,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068085Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:45.079{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450A0C0A366D8A87AAFF824DF31D9929,SHA256=85D49F61CEA7BCC123D6212A2F38352D035A13A7618440CE068B7C3E86EDC586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068084Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:45.079{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB586728BDEEEDFA97A77B5D453C3BD4,SHA256=17626B434BFBBB3CE33E03BF3D94369C3FA0A9614D8F2BD8B983200AA0C6A338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068091Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:46.861{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCC9C7F8B18829F52BB4E7B853CB647,SHA256=D782AEDC9A9CFFCBEBF4E3CE2C90001F887D884B1D5B790DB08C63387EE6661E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030157Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:46.143{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B7F15B1247A4BEE3A0E1E39AD819F3D,SHA256=6AD6BAC0902D391EB7A74A73449B967A7840F3C9A4AEF8C2BA166CFFFE9A63BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068090Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:46.015{43EB4363-55C5-60F5-8808-00000000E501}46325260C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068089Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:46.000{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068088Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:46.000{43EB4363-55C5-60F5-8808-00000000E501}46325100C:\Windows\Explorer.EXE{43EB4363-5960-60F5-F80C-00000000E501}3668C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068092Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:47.876{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BEC2F672EBB96C7BE3F797794BFADB,SHA256=32C0D65463BFDB68BC65A4B3F8A7AB60CE0831F116A6F546BB03269056B128D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030158Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:47.237{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059503785CDE946EB52C646D237484E8,SHA256=87C3CF49FFC88C03DCA34BF60EF670D4ECA957B855E0DE98CFDF5308A10D9F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068093Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:48.894{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECEBB97CAB92CEE5F6E10B71CC28628,SHA256=9BFFE6155E7F1D287C08B5127DE8DA0671885FE6687E4EEDBED5799EF2462A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030159Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:48.455{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8C34687224371DF13E2E206C5430E4,SHA256=755C9F60DE10C3DE59AB12B6CF13A2744140067EA6284E79B6BC4550335E464E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068096Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:49.945{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=56F8B463E2A25C362642073DA26B08C1,SHA256=2A1C3BCA9C7A606207F26AF757347147670B1C98F91FB881C7C692E761FB3D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068095Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:49.945{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7CD1BF2A34AF92DB2D1C9FC34E8BBEE0,SHA256=37BF50E21469CCE0F4E94BDCAB356E003E17600C35E2A4D79034DE11C8636F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068094Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:49.913{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE85B7C818788EE07484B2617399B13,SHA256=6819599BF83E96AFD316C2F70E38B10AB882AEF56B3E3A8638B6F187BB862110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030160Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:49.690{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A6B8340A47A57E895FC9306AA6CDB7,SHA256=C74226023C7897B87134CA088E9153924B2C4A84531CB534391101D5CDF7B695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068107Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:50.915{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58E373866D3CF872AEB1D8839B3F409,SHA256=5830A1080122FC6FD3BAC3279189829859CE7103CD6104AD6A79C7AF2D7BF9A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030162Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:50.721{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C92E569D1117900ADCA527FA8BED51B2,SHA256=4118F1C82184E576D1064604A33387A1D1E5A5F7ADADD1A5A37F100ECB4C9AF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068106Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:48.108{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000068105Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:50.534{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5982-60F5-FD0C-00000000E501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068104Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:50.508{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068103Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:50.508{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068102Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:50.508{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068101Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:50.508{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068100Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:50.507{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5982-60F5-FD0C-00000000E501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068099Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:50.507{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5982-60F5-FD0C-00000000E501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068098Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:50.331{43EB4363-5982-60F5-FD0C-00000000E501}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068097Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:50.030{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=56F8B463E2A25C362642073DA26B08C1,SHA256=2A1C3BCA9C7A606207F26AF757347147670B1C98F91FB881C7C692E761FB3D97,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030161Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:48.022{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030163Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:51.752{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCBC62FA5787C6254B7F009B0141D47B,SHA256=C85EDB7BF847F897B779DDCEB005F35C1A6C64EDF1910B80CEAA74B6923E235C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068127Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.961{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2CDF6B09F16416F7FCCA74B7053C6A,SHA256=51CC48FAF8046CD8FD2059F27AEA90233C4ECD1638C1BE5A8D4FBE20AD2B302B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068126Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.845{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=AC98745882E70A4C90D780DCB962D462,SHA256=1B6B15E8B59AC069C8580F2DEE260CA4D870005B3A813E415DDF5D01931A9734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068125Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.845{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=D9B68B1F8CF5F1FBE046C66ADB4E5903,SHA256=9FBF7061906BACF2A6CB2168A673F8B3E1756C85F276C90C3F984184AD5A5611,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068124Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.845{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=0CC24C6D6CE8E4BBE6BD014108FEAE3C,SHA256=92F4C816FA0D4712F2A9BEE89D5E4FAE51500FE4133A5178A6AD6D3E223E9D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068123Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.845{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=C804009BCCFC080F83674A7D1708A782,SHA256=788C14E03C1DF2155613F318D87537CFADBD0AA1F12AA7ADE06BF3F066CB63D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068122Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.845{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=00030E3788E2B6E4E66B8DA611F39917,SHA256=9ABC1BC3556B00BA935BA1451D7020A745EEDA5D1957D96FA9FEE4CE6857EE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068121Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.845{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=EBAACDF62E5BC4FAB30F1D53EBA8F649,SHA256=19659F186B6BB5B88BA4C88D4B92D7CC8AE90331697348C335DC611D0F0654A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068120Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.603{43EB4363-5983-60F5-FE0C-00000000E501}51726184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068119Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.347{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B427EF974A82FAF70DC3B1608AB15DDB,SHA256=EAB906BC10AC8732EDB1D1DBF1D3F99FD911CAEF7ED180CAB97BEF293D4B1ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068118Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.344{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=098AABCD97CD44FCF7DD713ED8431016,SHA256=09656FB7024A2D08955EDE243BF6E08A2FC3106A82F93196875964432FAD1004,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068117Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.330{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5983-60F5-FE0C-00000000E501}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068116Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.326{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068115Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.326{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068114Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.326{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068113Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.325{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068112Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.325{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5983-60F5-FE0C-00000000E501}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068111Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.325{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5983-60F5-FE0C-00000000E501}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068110Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.194{43EB4363-5983-60F5-FE0C-00000000E501}5172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068109Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.050{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=827D9DDDD419B5CA0DB20073735A9366,SHA256=F3B3DF9C8C767E21B6BCAF5CEFE9267A685679E62DD79530D5144D6C2C3D3F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068108Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:51.050{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=72084593D73B2B4762FDEB9BDDADD9E9,SHA256=AF32BDBB076666C40337EA59725415267FF417D4F1D1BD5C0A27A7BAFAD05D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030164Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:52.971{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE14DE81C2BE5A9DE93AACA6A486805,SHA256=ABB78147C8628F9022DE1960149748894740ACA7CD590EB6470EE410E254ABBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068136Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:52.976{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D93A6F7C570716A67A5458E82E4E83AE,SHA256=C4A2688B0E279C9EBF3EAF1CCDAC5606151A9E860BEFF02B9F5CC4257D00AF4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068135Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:52.176{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5984-60F5-FF0C-00000000E501}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068134Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:52.161{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068133Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:52.161{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068132Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:52.161{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068131Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:52.161{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068130Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:52.161{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5984-60F5-FF0C-00000000E501}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068129Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:52.161{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5984-60F5-FF0C-00000000E501}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068128Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:52.046{43EB4363-5984-60F5-FF0C-00000000E501}7944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068138Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:53.990{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C928C988308F8CA3B13A6ACBAA5216CA,SHA256=95A857736E7FE4C9EB8B78DD0F9074A43D1475B33899B060AB83E2AEEDAF035F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068137Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:53.076{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B427EF974A82FAF70DC3B1608AB15DDB,SHA256=EAB906BC10AC8732EDB1D1DBF1D3F99FD911CAEF7ED180CAB97BEF293D4B1ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030165Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:54.018{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C1F0F41A7919BE0A3B802BC860CF22,SHA256=8F34EC5DA1939021BEA95CBBE77DC1288307D5E6AAF4218B17310B8FCF4AF9D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068158Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.939{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5986-60F5-010D-00000000E501}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068157Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.937{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068156Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.936{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068155Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.936{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068154Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.936{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068153Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.936{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5986-60F5-010D-00000000E501}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068152Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.936{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5986-60F5-010D-00000000E501}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068151Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.934{43EB4363-5986-60F5-010D-00000000E501}348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000068150Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:53.661{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65259-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000068149Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:53.661{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65259-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 23542300x800000000000000068148Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.738{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12C21623E586465902BF2F9073286967,SHA256=02948D81DEB324868B845C9F48D7689278C2E70235A95177724D469354E6E637,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068147Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.522{43EB4363-5986-60F5-000D-00000000E501}80087608C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068146Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.228{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5986-60F5-000D-00000000E501}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068145Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.228{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068144Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.228{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068143Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.228{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068142Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.228{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068141Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.228{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5986-60F5-000D-00000000E501}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068140Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.228{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5986-60F5-000D-00000000E501}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068139Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.060{43EB4363-5986-60F5-000D-00000000E501}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030179Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5987-60F5-3A06-00000000E601}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030178Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030177Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030176Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030175Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030174Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030173Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030172Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030171Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030170Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030169Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-5987-60F5-3A06-00000000E601}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030168Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5987-60F5-3A06-00000000E601}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030167Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.409{53AF6CEB-5987-60F5-3A06-00000000E601}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030166Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:55.034{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E69BAFDEF4DE0A9371B89D50CB1673C,SHA256=CE59BE9C44B9DA7E269B51BAE1A47762B427926015BFAF4ED04D7B238701B1FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068169Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.970{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D184158EFFC62FE8E4BC4CA35E0505B5,SHA256=32078E0B223C93D62736E33BFAA2C9ABE0F7845AE85488AD846C31CDC764A4BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068168Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.885{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5987-60F5-020D-00000000E501}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068167Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.885{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068166Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.885{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068165Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.885{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068164Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.885{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068163Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.885{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5987-60F5-020D-00000000E501}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068162Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.885{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5987-60F5-020D-00000000E501}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068161Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.755{43EB4363-5987-60F5-020D-00000000E501}7568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000068160Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.117{43EB4363-5986-60F5-010D-00000000E501}3487404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068159Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:55.002{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA90341D08CFC91DBE41029EADAC147,SHA256=91A2D938654EFE3DA7C29AFC78C8D59E4D80CBA78E2ED9A6A3C6FBAADEA7573E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068181Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:54.076{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068180Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.898{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068179Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.898{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=DF8093C4BDFFC3E837455904CEB6E298,SHA256=C280721804E02B36899C840942878C34C97C61BD2326BF419BF1ABA1F33C2B8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068178Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.782{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5988-60F5-030D-00000000E501}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068177Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.768{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068176Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.768{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068175Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.768{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068174Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.768{43EB4363-37A6-60F5-0C00-00000000E501}828868C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068173Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.768{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5988-60F5-030D-00000000E501}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068172Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.768{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5988-60F5-030D-00000000E501}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068171Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.636{43EB4363-5988-60F5-030D-00000000E501}644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068170Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:56.038{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A7B5F575EA59074CB3800308AE084B,SHA256=468A291E685EAFD8ED176DD9B2CDC6F6F242A71F8C1FFA6C366E765D0771F740,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030210Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.924{53AF6CEB-5988-60F5-3C06-00000000E601}39882096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030209Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5988-60F5-3C06-00000000E601}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030208Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030207Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030206Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030205Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030204Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030203Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030202Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030201Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030200Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030199Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-5988-60F5-3C06-00000000E601}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030198Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.752{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5988-60F5-3C06-00000000E601}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030197Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.753{53AF6CEB-5988-60F5-3C06-00000000E601}3988C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030196Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.424{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B1CE6E36082D24D7BF9FA4157A3203,SHA256=21CA6F4509C1AB8E2EF88A2A7102CE30E782F967F39CDB51D3467836F1C5773D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030195Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.424{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72B0F1986AAC1089DDC28288215E759E,SHA256=FE5DC911E302B5C0543DFF1763639A15612745EF938F9E6F6381C0E604E2709A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030194Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:54.022{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000030193Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5988-60F5-3B06-00000000E601}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030192Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030191Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030190Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030189Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030188Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030187Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030186Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030185Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030184Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030183Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-5988-60F5-3B06-00000000E601}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030182Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.080{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5988-60F5-3B06-00000000E601}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030181Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.081{53AF6CEB-5988-60F5-3B06-00000000E601}1372C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030180Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:56.049{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9FE7DDB21FB3A86F7C8A1ACF08AC30,SHA256=DA01F779CC5B5239ADBED52755C7AAAF6013CA5F749D7A64999BEF788008D6EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030226Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.940{53AF6CEB-5989-60F5-3D06-00000000E601}9243448C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030225Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5989-60F5-3D06-00000000E601}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030224Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030223Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030222Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030221Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030220Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030219Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030218Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030217Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030216Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030215Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5989-60F5-3D06-00000000E601}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030214Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.784{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5989-60F5-3D06-00000000E601}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030213Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.785{53AF6CEB-5989-60F5-3D06-00000000E601}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030212Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.768{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39B1CE6E36082D24D7BF9FA4157A3203,SHA256=21CA6F4509C1AB8E2EF88A2A7102CE30E782F967F39CDB51D3467836F1C5773D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030211Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:57.159{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BE515122A20A4382949AB6D6DB959E,SHA256=43BD38593E20A88BF4D1B13DA1672180DECA0415FAEC292838FF41492A448B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068190Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:57.882{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=7111A54A682597F6FEA88438CB87150D,SHA256=CCA8EC48A713F64E31A68F0F535F214D95CD14B64CBDB85929D9D1C1C0FC1535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068189Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:57.882{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=64AF8F5322D79094FD8D57A6C7FC1B12,SHA256=17029287FB1E1443B1DA24300908065A993C60675F3C93201FC0395D8C6B3CFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068188Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:57.882{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=89EE8718646BA5079815E36B71E9E4AE,SHA256=7E95D1CC8F997DE5717BE5A49F5C3FE1B127B3CB5C9D02B71EC7B378096C5937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068187Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:57.882{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=FE59872144701950099595CB7A34EDD0,SHA256=A63B42497751F8721DA1564696A4409D228DB1EA3969CBAD03120FB5FA266884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068186Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:57.882{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=DD184CADEEC4F4420A3E7FA2CE75639B,SHA256=F70FCC2FF34BC7F846780AF73FA7947DCFC27E65A431ED8E061B570588A3F9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068185Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:57.882{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=8510FD1A478B44E2A131127514FBFEF1,SHA256=03887093B7B753F7406068BEFB49AB9459DDDB9F7F2B4937749C3705CDEE6BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068184Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:57.647{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8EBA41964F470531B1DFE66235E8B026,SHA256=F8BAAFF01BFE617C73725697BBAA21C95C9808AAC8EECC9B14573B61319B4466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068183Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:57.098{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FB644872C60AF5F3E8FF0D31F054A7,SHA256=AF8CD3A5E976E9F5CF674C092216F610BB67B23C8A27CF415E76C2FE7B12894E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068182Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:57.044{43EB4363-5988-60F5-030D-00000000E501}6447716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068191Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:58.128{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A1825D3255BC45E5CC14670DF4231E,SHA256=C7AEFCF0E04C16961E0C9B890AFA759505028D556C98AA1F38B74E35EE6D70CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030241Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-598A-60F5-3E06-00000000E601}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030240Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030239Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030238Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030237Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030236Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030235Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030234Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030233Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030232Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030231Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-598A-60F5-3E06-00000000E601}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030230Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-598A-60F5-3E06-00000000E601}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030229Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.987{53AF6CEB-598A-60F5-3E06-00000000E601}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030228Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.846{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C94F1E749A254B928F580A0898FBB154,SHA256=74FA935969C7B17CF0929659872B06D5C15FCB4881DC17F4BBB9150AF555B668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030227Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:58.190{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6568CE5CA1601A8ADE0075D09B4B0D07,SHA256=E46A19FBE70B0E38AFDCCFEFAA35C4897E6789CEF65BAD26715B40DFEF7F8045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068192Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:59.146{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D406C4B22ED938FE3F1CD307883528D,SHA256=8239D92950CD43B4188E2D99C653561743E250EEA80935C190CA4E7ABD9D682F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030257Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.815{53AF6CEB-598B-60F5-3F06-00000000E601}27201000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030256Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-598B-60F5-3F06-00000000E601}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030255Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030254Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030253Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030252Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030251Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030250Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030249Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030248Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030247Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030246Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-598B-60F5-3F06-00000000E601}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030245Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-598B-60F5-3F06-00000000E601}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030244Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.659{53AF6CEB-598B-60F5-3F06-00000000E601}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030243Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.315{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8721C7633C0A6D60EAA22A0C4736FE73,SHA256=31D4754CAE02A1CD9D087DCE806D0AA56047B9C20E6882ABED358AC068291F4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030242Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:52:59.159{53AF6CEB-598A-60F5-3E06-00000000E601}32204064C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068193Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:00.180{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4843C40A86B79257E1C463F50263C542,SHA256=C4EF6FA1169D39DF9D8F51F16231065187BB5E16949BDA6CBD32831110AB5296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030259Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:00.377{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC78652407E382DD53520F99AC71E19A,SHA256=3473D15149A36B5047D7FD5ECC6F26EEFC9D3FBA404ADFE6216C86678BFE0A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030258Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:00.002{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=544AA609E7CE23A10B7EACF2A0E955E1,SHA256=D6A5136EED3B273581A1EB0C032DB8F0C8616422E2F61EF0D31B62F6CEE14C2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030274Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:00.006{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030273Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.471{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8533D87837A9CF4B239EA2EC9771C378,SHA256=A1A230B37F3FFCD1C6B4EA8473BE707BCBCAE90E479DDE45C32ECEBD7DC95207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068195Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:01.196{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A3040D99B4788D04CCE879CF71CDB7,SHA256=13C2D60D64BAA648586750B55ADF7BCCC7597D580E843FEE99B0FE0DA42389FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068194Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:52:59.160{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000030272Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-598D-60F5-4006-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030271Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030270Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030269Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030268Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030267Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030266Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030265Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030264Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030263Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030262Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-598D-60F5-4006-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030261Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.315{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-598D-60F5-4006-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030260Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:01.316{53AF6CEB-598D-60F5-4006-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030276Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:02.648{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF940867F422C94378564472B4E76A28,SHA256=A9C76584ABED1F5D63A6E036FBB1E259D5AE562B021E8B62974398CB99D1E001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068196Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:02.211{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34536ACE5FA560AAC750C0999779E56,SHA256=2F8A4EB3BC1B6B15B38A57DBCA8548ED967DAF9972A1180F9D068549DC9BA792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030275Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:02.330{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1005E1E0B7889FDB287E253611409063,SHA256=028FD66CB6549CDEB53DF17B77708E4304FE958B3B6BBB43A32DF79F7B67069D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030277Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:03.804{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F173B60AB1343F7A51128C9F4F32C1BB,SHA256=6055EE4232E448DA63CA06EB2D6EE7B46EB3BA924CC73C8AA6E50D2E3B3D0829,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068197Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:03.226{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C1577EC7C5C76D86D64FBB28969760,SHA256=248778553E12D8C8C6847E91DC2ABB56B6F05925ED30A7A5E56F40FE2862F88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030278Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:04.929{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1CE7C160EF6901D4FCE84783C4F7D28,SHA256=0C2A7F3023D92FDF0415203C051334EDA2CD953FBC30E12CCE92FF52BE25370A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068199Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:04.879{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068198Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:04.226{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9EF311C2E7998D4C911E2D8BA331D1E,SHA256=6794831BDFE9458151845568711796503818CD769A1FF4BF0EF3C8515A0F51F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068200Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:05.244{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FDC25DFBBC5BB609CF25592684621AA,SHA256=2BB2EECE189E65A5263C42382EC512F701629E2743C6F9D402155A79AF664DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068202Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:06.309{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BD1A31E2A8A2051CBED9ADDC7962F3,SHA256=519D48D3F693D0650D71EDAA2DF8514FA1FAB1FD5131F8BEB98DB098E01D1753,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030280Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:05.105{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030279Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:06.023{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B03F756CFDD40EA3275DBB00D7AFA3EB,SHA256=ACDB3A958F733A3D7DACAF35E9570D8AB637FCD53548B0E352E0BA5EDC906560,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068201Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:04.796{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65262-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000068204Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:07.323{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AAE4679FFB758BDCF6387391D6B529,SHA256=413244675E9D3A65CE4C439B6F4710A1991990E96406A59B1D713FDC757D7143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030281Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:07.038{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9AB57095F996CD53852B4B3323816AB,SHA256=624F607C62EF8D216BFC32CDA94EC85D541274A36292D10039B9A25F1D41DFE6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068203Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:05.074{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068205Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:08.375{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8872C258797C5DE80D4B03BD3495CBB,SHA256=BAD02F34BF9A9782544490160A75EB6C48D4B1CC54DB5DB3CB920331D5634F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030282Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:08.179{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D314CEC2AF6CBD293DD8CB1EA91F077,SHA256=6198223DBBE6BCFF0104E21B321C49C1524A017D5F0E6DCEF9FE91083177D97A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068206Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:09.406{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02C73F9DFE35F2AE017D02C7CB9B83E,SHA256=A169A4E2CF933427023F277AC07F3DA5CA86F23F62579AC0AD6689E7DF2979BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030283Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:09.195{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611B3805D88EE74C78FFEE9B5661FBAD,SHA256=442078EF6D8D1C273BD0DB8B74307F0AF52B3AA9A68531B4DCA0238712913C9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068207Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:10.420{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758525227DDEB490FC8708E37E6A9450,SHA256=6769BE00F70846EB676FDEC35191D317FC9FD44816241B2CF254FAF202024762,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030284Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:10.210{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6107E8E4DC694DF8F2B16D3AB55FC61D,SHA256=AD69135E5FDE6FD44B75593C144D8CCDD8579148ACC5549DFDF7798B677BB9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068208Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:11.439{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4CDB85800AED2222F963A057633177,SHA256=1FFB5794ECB0D54B0E56C99C8A0D3FFC128F5605DC5B5A5608C9BB4CD9BF0B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030285Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:11.226{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43761449C01E69AB0F6F45CD2602E79F,SHA256=75F1466943A366B6AB7E69934E31B6D91DFAAC8AD04D87A4FD185F7DF93264E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068216Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:12.920{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=BD96574EC837A17F5ED09B2035735977,SHA256=DE0ABF102A2B67C63EFEFBEBA2AA40B3700E2AA462D68A7FF08A9CA4736CF288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068215Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:12.920{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=C91B0C7FA2E6B6FA55AA36751F1A8375,SHA256=1C83FAD418095FE30AB3D0AF237E792D051946C74B6DAEFC020BABDA76075ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068214Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:12.920{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=3D40142163053CF0B704F440D62FE0C9,SHA256=9BA12A7BE37E3A68E57601A8FF9CD2390D4F88FA70B15499F1695A8BF16E6179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068213Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:12.920{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=926EAA699258770EFB768D61EF2C9A99,SHA256=C9CCF9C844A547D63C574ADD4A36BBBD00DB99AC4CD79C808076D68DFB152C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068212Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:12.920{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=A2D4A688139512D722E45EE3A128167A,SHA256=2477CFB4E6BDF15021066B96888773CD7A1CA421C2015C94EE487523905EE95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068211Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:12.920{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=08C1F02D32712DFCA5E4BEEB10A14EF2,SHA256=A308B1B938A205375FC2CAA48AE8256C22CE2155698AD67EA6D37EF6FE9871F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068210Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:12.458{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FFEE464ACED7AB12A6F75055A17294,SHA256=8E9A7D8F2372B79D21C3C664370A0C12DE90AFB28D1828178B2548EDB67D3739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030286Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:12.241{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDEC9D3D7FDCBD8D4F024D2B1A0F4CCB,SHA256=199DEF4351D7E17C92C24812ECE49D8130A68834DD201E1CC610015203A6C5EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068209Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:10.969{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068217Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:13.489{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB763526E43702CAFD111329494FB4F7,SHA256=8E1888F65FD9588E4F61BB1032C04BB9A9FBAB63753F0DBB3D1ED7BB34B1F116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030288Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:13.476{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05FF3A3C5FD7B19B61CC7C053333EEAD,SHA256=FA18ABF0C60C2412D019F93A8E176D2938B8E5C380CC0354860A952C3459005B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030287Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:11.074{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51353-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030289Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:14.663{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5D1DB0066609C2430B15D45D65A58F,SHA256=48561A74F1CFA33904D2C34BA69FFF252B0B597938506437F14F3FD7B09C81E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068218Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:14.538{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D794C38B05CB54C1B88D462BE5F24A02,SHA256=65EA38E94CDC68A6E1DDD85C2B784440EF6331853DAEDEB5B2A6C40B7D27583E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030290Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:15.695{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C16D8E6BC69CCA43AE08AFD4563984BB,SHA256=31134C10E87CC41E54067FFB0C88C72E94D4B81209BC6CE116B058E715BE4BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068219Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:15.557{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DEF6C923BB84DA6DCF43B873F25FB6,SHA256=A1B7811F4AAF2FFC1F9D9A2428969CDB6334A141FCA3024E773172441C1A620C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030291Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:16.726{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC487868A046F6738DC51BB8E0D0ADFE,SHA256=D231D23434D99E1C1B114733AF76A5AB98DE7EBD41FC3BF850B90070E00069C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068220Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:16.587{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFD76444B0B5BEDDBBC64E22F84B4D65,SHA256=5E1B5E6367B32D2B21F8BB84DE614294123D82B13A91ECF4AA56FBCB55A1BC8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030292Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:17.851{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243C7314C0AEE9FE0DAC5CF41DDE8C7C,SHA256=A22C65E3B24F3477EE86B0FADC71168C782E2E314C026EC0B70DD930EEEE3B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068222Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:17.618{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7632A9D7BA5F01B8C47837BB0B2F801,SHA256=692008FE764CA029FED098F96AD616E242C3701A0DE019C6E1701E4370F95466,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068221Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:16.105{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030293Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:18.898{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6F10791700E18D2885F1C78DC417F41,SHA256=37F8DF43C90DF8F44DD356A809EC81E7F7F25AAE40D13CCA12CE503A7B884339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068223Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:18.639{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C33E2B1EBB5BDDA1F99A20F0C053BB,SHA256=B0A7AA18299927C6495341BB7E02D158FDB4E9450EBF0D2CE13D7A675CEC5555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030295Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:19.929{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87FB496BCD566B6D90FDBDDDC8956099,SHA256=49BD6DEEFBF8EE3E1807022FCC67C259E8C3D5B841978878801450BEAD3A90BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068224Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:19.640{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334F7C7F5D31A5A405084FF1A5F8ACA7,SHA256=DFE03AAF40948819A9CCBD9990980C5CF5169F83F169759CF74BC399C08249F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030294Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:17.011{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030296Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:20.976{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D3082505E08037732C10F7F8FF6FCAC,SHA256=6B6AE61ADBA2C94B1FC66AB17464CAF8652296CDE02C9A6CF310519F48D1ADCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068225Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:20.656{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D61E42B9D86235507D11CCF6DF7E39,SHA256=79B6AA89AE2F19FD88B38BE0098174D35769ABED8E67B77C37109125CEA441AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068226Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:21.671{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF51867491DDCAB65EDB1AD080E807E8,SHA256=401A50E3B898D5D9E4D2654E2FAF2D1898C2EF0F71FD3A1B97571449E6A7C78D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030298Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:21.538{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030297Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:21.007{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=014307ED3CCEEA632D768BBAC62677B8,SHA256=5745ECE4941187AE1E9472434F889407C84DEB3D9BEE1B4067B599C310218549,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030299Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:22.195{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46F5E7ABEA8606C787406B8BB98A274,SHA256=4640599CC4B62896D854014975DB86A40AC2591AE447E021791E878547362848,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068227Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:22.719{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2CF136CE8B2F47F10637A42E59292F,SHA256=F50B6F2F02D7709F0B139C0A03CEB041A32F1F687EC0BFB817BF321511827A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068229Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:23.736{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BE525584C8C1A6A9691AAAA8F595E2,SHA256=34F0C91BBCE0980E597E7A2DF4020FD5661A92CAE80A04AA5274F392E195A44A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030301Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:21.402{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51355-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000030300Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:23.356{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=741DF723D17D76EEE73085E74FCCCC0D,SHA256=110C6FC6D5640D3D8633567A01C1F2AECB3EA4465C6E994B921D91DFFB487037,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068228Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:21.988{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068231Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:24.771{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=801887A4F6B28D67B11DFB22B439F1B3,SHA256=354547BEBDA672AC8061B12026413B1EC96E3F55E357AE5D25B4D48EE00FC555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068230Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:24.755{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009BBC87AF58DD90CB466E5763653020,SHA256=B876F12373DD68630D0FE2B351A3B9B8DE82DBF181EA9A078BEA249C7D1C8667,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030303Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:22.011{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030302Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:24.371{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988CD45938F553338F9F4D4E44CB3F37,SHA256=7A0C0B362B1CDD6243AE1A3536CBAB6A0FD8BA5AE119AB5591C65F0CD6A8865E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068232Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:25.785{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A76CA7DEB2CC9209BBBAECEC9543BB9E,SHA256=4893FAC00DA4E140979B840ABB10AD8E2F3346254B826C4B0D908DFC41C18C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030304Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:25.371{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BB63FA65B0B33CE03A39DD27A4B65E,SHA256=5DFE02673EF6E5E24B52751B7D144780858724EED593D663DE549D588533621E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068233Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:26.800{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77185AA3045292557F4C833CFFBB4BDE,SHA256=177BB55DC69B795A383049705D7CB19C829FB8702A5A578E1D90B47870439678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030305Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:26.387{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8A16D8AC9DC70A6CF925A62941EE28,SHA256=3DA7F85E58AD642A53FA27E33974DBB909EDD5F73EC09A89377D27BAEEE67682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068234Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:27.815{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD0AB09E99529FF0F9F5A8E9F7160450,SHA256=E72447E415BE4D602B06CA625140EE4099734D7D37C5FA8BD909B60A1F14FEAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030306Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:27.402{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A568F96CD94EF0751BEF7475BBB0D9F,SHA256=C6EEE6BA86A560B445EF37428369269F62C0A401DE8D1F6A9862184687F3B364,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068264Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.851{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7040EB26E7987A63191EB1C9CB08B4D1,SHA256=5C6B07CE4F087807D4C42A693C909E69A7853CFBBC6A4207211D59B6C2C1FE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030307Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:28.402{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2936C8DBE3A62BB55674565760D6F0,SHA256=133A9480CB7C891D3850F656358BFC07A98E0753200DEAD4AC1AB2122C908397,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068263Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.632{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068262Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.632{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068261Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.632{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068260Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068259Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068258Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068257Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8908-00000000E501}4428C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068256Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8908-00000000E501}4428C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068255Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068254Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068253Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068252Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068251Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068250Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068249Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068248Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068247Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068246Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068245Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.631{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068244Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068243Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068242Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068241Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068240Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068239Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068238Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068237Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068236Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:28.630{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000068235Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:27.148{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068265Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:29.866{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0713CB95C7E5DD55A42F78D37CF93473,SHA256=F88044FC9F66EF15C508E8C45725212756804753E841DD7A153C996A253315A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030309Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:27.938{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030308Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:29.418{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9463BFF5936F2EF6FB765BF00847CC,SHA256=3022FF8FCBEBC1BF1E1C791FDE5C21DDD50629016682C28EEDD51F271A8C3F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068266Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:30.896{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ECFFFD46B6B86DB7FA667826E356B0C,SHA256=4BA8E0C8B387EBE981602DFE8E1DDFEAD1EE7CCEC740817709871BE47B360615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030310Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:30.449{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2739DB2B09DABEAC4108AD2AE105DAD8,SHA256=B0329485B1C0A0FD920EA5FCA79A9BB7E0B2F9C3E1222F53DE09C979FC0E81F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068267Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:31.897{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208BA8718804A830EFBAF0B64B6CC9C6,SHA256=6D2377BB4CC434714F97D0AC3D66FD0D920C8A8B4755F2015DA220B584AE9CB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030313Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:31.684{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8034A6D2A30E2537D6155D64EF5A7351,SHA256=CE28414C53EAD649BC7137B4783713F6C3F579726DB5203F54B13222856F61BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030312Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:29.520{53AF6CEB-39BB-60F5-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-286.attackrange.local138netbios-dgm 354300x800000000000000030311Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:29.520{53AF6CEB-39BB-60F5-0100-00000000E601}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-286.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 23542300x800000000000000030314Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:32.918{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A09227B031609FECF5BF4620DFAB6F7,SHA256=D0E8B2D06793A3C5C10F655AEDCCEE36C6E8AD68420BD93AB602AE69CEF8B338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068268Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:32.929{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09057D9C0D31B1F4B0AE2A5397AB9D9B,SHA256=1B2937949041B5DCD371C1ED9C7A7540E8A2CED702C9DF3CE918B7D4B1BEA184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068269Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:33.964{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=063C2B0926049B448C5DE9E4164C86B0,SHA256=A9440BD77DA16ECA27A09AE899D179A057A40783E6A4458C3E8E9DC185BCDC48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068271Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:34.964{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A4E181550D86C2A1F65F4C20B999DD,SHA256=39B58D783974A6693E8D754BA898CC57A74AB285F56F4C575798BF2844E93847,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030316Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:33.016{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030315Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:34.152{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE182133FB1AC01825DD2237054EADF4,SHA256=EB8689753124DDD0F80695B4B0D4B8077C442BF2A0AC84D181083C98622D8F85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068270Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:33.012{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068272Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:35.994{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99D3846B5881B5AA9686013153BEBA82,SHA256=C2A00AD15ED740A24DAC6C42F3655576FE301F98AFC0186F413C3AA6585A23B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030317Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:35.230{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D13A2F5F0FF709F62A7656D0122B22B,SHA256=9450F64DF8F6B52B60489929A3EFA58309AE7B14B8567078FC81F2854DB1A6EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030318Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:36.293{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5360AF876433A0F4BCBA63C93900AFB4,SHA256=B59E1BD42BE16EDE99E485DB7E142976D56085AC274B6C4A5E74BC7B7EA29E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030319Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:37.483{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC6A7CEB9957FCD2DCB7D7C451E080E,SHA256=2741C110AB686DF2E54D90CCF87B3485C870056C54DB712A563A6999AAD66FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068273Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:37.009{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118F9AED37E0CEFEC07BA61FA93FDFEB,SHA256=236E3CEA8E7F24FAD558661AD03483BDEAE7540BFECD73E634554B540C040751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030320Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:38.526{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8235A872B044552CE0BE23D6B5C15D3,SHA256=02844ACF7D028AE7B978101C1BE8BA6CC00910BA8936ABA2E688D68682375798,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068274Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:38.061{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFC0605EF7C692908DBB18AE37C2B9E,SHA256=2066226349E8D5FCA9CFD3482FD3C692DE18C59C55B543EC8E57221406064099,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030321Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:39.528{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC424CB07C2300BCEFFBE27D3C0E777,SHA256=01F2E60819931380BB5035AA81EE2513726FB2C2C276D6DF3556116F13005BD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068276Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:38.160{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068275Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:39.076{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0ABF38576ACCB15591DDB115444578,SHA256=09DA643C83A19449E6CE0D040CEF576334EC2EBFFFF38862DE46C45AD0FC3531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030322Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:40.533{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84D27167CD5F7148FD0824CCFBFDBB7F,SHA256=D99E55E9FAE1638C95DFF63F35C06C4C4CEEACF9B83508E04C1A588EC98DA8F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068277Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:40.091{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E4588D8068C17BAEE9A57213AFF7251,SHA256=044D9A87F0D4D032D4D680694D42634E1846B8FF07BFA5F964E7BFADF7818CD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030324Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:41.544{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDF53F87B6AC6F090CEFE98DA4B9343,SHA256=23A1E4842159FAB4D7AE64ED14D3A29A260F94A7C8F3190304A7177439A3F173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068278Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:41.106{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B6188ADA4439B107D9E268CF2CC7063,SHA256=25391202ED6FC7B7C9BD1619981E3BA240EA2C70074293D113BA847236BAD57E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030323Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:38.923{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030325Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:42.575{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C356BB52C843CDFE71A9F389CB77759B,SHA256=72141A759382B38758A6F12F58960CF57A0B0E1AB723F507146B3B4156E55CAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068279Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:42.123{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA623E64217EC7DC327B5948AF55DFC7,SHA256=D0810F64DA611ACC192E41BA84B396A412EB914A4F9B01D46E9C91087091B869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030326Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:43.808{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E8786CE4D3570FE5EC2164CD12DECC,SHA256=51595E1AFB24B56F23A55FE4D124A56A5918061247C1C070C1B1550FECC82D05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068280Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:43.143{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600B28567457F077B8A5C58B9F04B505,SHA256=7B80625D1582E218AFFAFB2441CC8ADF854AE63C29480CA911D335D55F854641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068281Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:44.157{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9884A9A96194546A39F167CA8BD70758,SHA256=21639CDE5A411E0E75D0B88F3DAFB65299A22DDB1972C5DC31114849C46705C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030328Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:44.078{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030327Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:45.027{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79F72B81A81D473ACDCF9FA699B1A81,SHA256=E7BCC7813F5C35044E37875C520D30CF15C0791AA247EFA803C6C33988020DF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068283Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:44.090{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068282Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:45.172{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812181540F5012A7BA3CB17AEEB2EA6C,SHA256=2A41D025F2D2E41362813800135B45ECE95360C2F0FF7FD3755C8B63866156F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030329Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:46.261{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EECF6A482D55CCCB6F4E1A2C3294F134,SHA256=E4EF099AA4F1337B5F23764CB995AFD578E616A7C26C5A65ED48C89BFDE7143A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068284Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:46.187{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709E7B8856A7F70B23C32C6CEB4EEAD8,SHA256=AB0058940B2E3238609DE41B9D37ED997E7DA5A7A885C8F9F92EC0A964EEF061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030330Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:47.402{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B377239E6268C7114C71D428C914601,SHA256=75A641602425A9EECB9BBA3EAE22F88347BA3923CF050F6D517B198DDBC82A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068285Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:47.201{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2842464312A739F82354177A4C6E5AFC,SHA256=BF5B2409F221DA577C3C692D5FEE98B30028422D7D53C85D229533C59AB97106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030331Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:48.621{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BE977FE30B74D1003F8AD293980252,SHA256=4E0AEFFDA5697D61C0FC83832C5EDADCF7E59BA9ED0D21E4EF3F42FA81F24DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068286Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:48.201{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC17D59F626F7D10D7D008F19FCD110,SHA256=43D0F8C4EE757184E1872AB87AE3286896BA0DEECDAB1C14AC92C5BEACD0C5E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030332Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:49.652{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6653A5F2DB0B000E678F01DDED2AC7D,SHA256=1662BC50D45B58F99E9CF5A631568A112DB62131D21CCF5716188191AB2F0744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068287Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:49.219{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E10EEE212375455F7653CD83FA66163F,SHA256=78A1DABB0DAEA77067A6FDD87BCBD098B29E915B0EAF94086AABD315F4CBE7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030333Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:50.886{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D017846D6FC0E10A80A4BE1E1163B1D6,SHA256=6C5B5859DF7063022F452944D8F0F86411591C206C9FB36AEA6D4A91AD90472E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068296Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:50.337{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59BE-60F5-040D-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068295Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:50.337{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068294Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:50.337{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068293Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:50.337{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068292Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:50.337{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068291Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:50.337{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-59BE-60F5-040D-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068290Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:50.337{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59BE-60F5-040D-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068289Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:50.338{43EB4363-59BE-60F5-040D-00000000E501}7460C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068288Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:50.253{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC41FCA49E3C46AA9DC07F1E58414395,SHA256=2DA8B0084249FA7AA6BC737B6F26D2847CE67AF718B8AE8681207741D18FC381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030334Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:51.902{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FF00158FF4D8346301535619E3AC92F,SHA256=9733787406522BD9133051ECDA313588FC1BC561D76B79825985EDB9E14655B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068316Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.890{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59BF-60F5-060D-00000000E501}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068315Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.890{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068314Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.890{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068313Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.890{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068312Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.890{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068311Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.890{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-59BF-60F5-060D-00000000E501}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068310Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.890{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59BF-60F5-060D-00000000E501}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068309Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.890{43EB4363-59BF-60F5-060D-00000000E501}508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000068308Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.419{43EB4363-59BF-60F5-050D-00000000E501}48967948C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068307Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.388{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A33B2864990476B316144B851DD64A3B,SHA256=BA859EBE4544DD57ED54CD37C98C8AACFF7286209F48BE6C15B7E65F98E49661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068306Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.388{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=041F68075A611CCEA82229B9DAC84130,SHA256=69F99E7AC53F85EB0A53999A5F4BE4D28F264436AC9C76B2C33314489F1FDBA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068305Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.257{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4873C52057A2BB74484B6AE09447206,SHA256=7D545613C80297F116231B37DA2A5B998E47B74D1C17E30A1D79719334E8E116,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068304Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.204{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59BF-60F5-050D-00000000E501}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068303Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.204{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068302Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.204{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068301Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.204{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068300Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.204{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068299Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.204{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-59BF-60F5-050D-00000000E501}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068298Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.204{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59BF-60F5-050D-00000000E501}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068297Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:51.205{43EB4363-59BF-60F5-050D-00000000E501}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068319Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:52.919{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A33B2864990476B316144B851DD64A3B,SHA256=BA859EBE4544DD57ED54CD37C98C8AACFF7286209F48BE6C15B7E65F98E49661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068318Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:52.342{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40EBEFC1CBC5CA522F057B5520BD311,SHA256=CD0AC55143607B170F802679726DECFAD99DD816747AF11D1E2C46E98A61D5E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030335Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:49.937{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000068317Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:50.032{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068320Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:53.358{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7C01B605E9CA087969075300E5EA97,SHA256=55DCE84F7DC736E8CA8398BEEEBAA73888A4FB40A2DA6B91359AC7F1C66D8AEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030336Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:53.136{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CB925E8DEA5615C4EDE28F11E4A7B8,SHA256=1F567E516D021D05966C84D6590A5B88BB612C3DCE18F9F51D071C5037632703,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068343Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.888{43EB4363-59C2-60F5-080D-00000000E501}69567752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068342Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.757{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC4DFF99944D3878181DF2A0736112A6,SHA256=29132B5A0714D650CD8FF02584EE0491D83227AE54B294DDC5A495CD7F8A3AC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068341Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.720{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59C2-60F5-080D-00000000E501}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068340Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.720{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068339Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.720{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068338Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.720{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068337Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.720{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068336Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.720{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-59C2-60F5-080D-00000000E501}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068335Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.720{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59C2-60F5-080D-00000000E501}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068334Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.721{43EB4363-59C2-60F5-080D-00000000E501}6956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068333Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.373{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE37AE291D0C6ABD94EF2660B1B88B4A,SHA256=AFF3F17836C4DAC44ACE4DE4FCB06403E7AAFBA9FB10FB0B2197FC9D5A11387D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030337Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:54.371{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303EBFC300EDF3F6745E1CD8FF06FB32,SHA256=D4F4429F9084DDFEEA65E4E8D414661145BEA1A07F7921DDD68BD7E739BDB56D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068332Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.289{43EB4363-59C2-60F5-070D-00000000E501}53046316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068331Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.173{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068330Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.173{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068329Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.173{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37A7-60F5-1500-00000000E501}1224C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068328Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.058{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59C2-60F5-070D-00000000E501}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068327Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.058{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068326Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.058{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068325Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.058{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068324Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.058{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068323Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.058{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-59C2-60F5-070D-00000000E501}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068322Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.058{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59C2-60F5-070D-00000000E501}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068321Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:54.058{43EB4363-59C2-60F5-070D-00000000E501}5304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030352Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.605{53AF6CEB-59C3-60F5-4106-00000000E601}39923772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030351Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.450{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C6FE5F6824FB90E6F84FD7008D31B8,SHA256=23A19281517116D3747F9E0447FA527B13199B87E0DBD082F695FA7C68A16E9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068354Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:55.757{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59C3-60F5-090D-00000000E501}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068353Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:55.757{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068352Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:55.757{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068351Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:55.757{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068350Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:55.757{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068349Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:55.757{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-59C3-60F5-090D-00000000E501}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068348Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:55.757{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59C3-60F5-090D-00000000E501}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068347Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:55.758{43EB4363-59C3-60F5-090D-00000000E501}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068346Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:55.388{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0383C23E6A88CE8565843880E343E72,SHA256=4B87C2955CDFB582B95B6D9495241E85528AD9CEE606943464FB322FE8D59954,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068345Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:53.669{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65272-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000068344Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:53.668{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65272-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 10341000x800000000000000030350Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-59C3-60F5-4106-00000000E601}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030349Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030348Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030347Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030346Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030345Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030344Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030343Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030342Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030341Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030340Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-59C3-60F5-4106-00000000E601}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030339Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-59C3-60F5-4106-00000000E601}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030338Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.418{53AF6CEB-59C3-60F5-4106-00000000E601}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030381Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-59C4-60F5-4306-00000000E601}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030380Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030379Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030378Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030377Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030376Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030375Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030374Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030373Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030372Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030371Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-59C4-60F5-4306-00000000E601}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030370Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.761{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-59C4-60F5-4306-00000000E601}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030369Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.762{53AF6CEB-59C4-60F5-4306-00000000E601}832C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030368Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.466{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E119E84A3AF1E735B1917C88BB1871,SHA256=020F3D81EAADE730F11EB75EDAFE725B193C5D56096103FFD0FB76F9EDD7410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068365Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.804{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32C2FE1E9F9329BFCAEAA93BC6A99A04,SHA256=E9E777DCDEBBA3235606888291FEB289E4E5EA123D43B9191023C606FF093B6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068364Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.641{43EB4363-59C4-60F5-0A0D-00000000E501}41845172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068363Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.440{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59C4-60F5-0A0D-00000000E501}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068362Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.438{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068361Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.438{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068360Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.438{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068359Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.438{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068358Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.437{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-59C4-60F5-0A0D-00000000E501}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068357Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.437{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59C4-60F5-0A0D-00000000E501}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068356Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.436{43EB4363-59C4-60F5-0A0D-00000000E501}4184C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068355Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:56.388{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64FA42234434F011E730119A6F25172,SHA256=B4FE5B203BDFBEB3791282A579EB48FCF532FA54C1E9357B8E34A278BD763000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030367Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.449{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=618BD5500221A0632D34A7EF4AAFC3E6,SHA256=8CCCCEEBDE867B338C2266259723AE31F51D7891B1FA9A6A2AACD33E5BF6FB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030366Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.449{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79277383EAEAECED30BF51F3B8B82AA2,SHA256=7FB4BB020AD03BB755FFF26896975722E9DB5ABB5B85F0EE3DFE01EB363EB5DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030365Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-59C4-60F5-4206-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030364Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030363Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030362Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030361Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030360Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030359Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030358Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030357Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030356Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030355Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-59C4-60F5-4206-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030354Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.089{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-59C4-60F5-4206-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030353Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:56.090{53AF6CEB-59C4-60F5-4206-00000000E601}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030397Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030396Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-59C5-60F5-4406-00000000E601}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030395Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030394Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030393Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030392Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030391Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030390Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030389Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030388Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030387Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-59C5-60F5-4406-00000000E601}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030386Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.808{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-59C5-60F5-4406-00000000E601}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030385Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.809{53AF6CEB-59C5-60F5-4406-00000000E601}1956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030384Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.777{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=618BD5500221A0632D34A7EF4AAFC3E6,SHA256=8CCCCEEBDE867B338C2266259723AE31F51D7891B1FA9A6A2AACD33E5BF6FB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030383Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:57.621{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3FE3DFA4F86AA3A3AE97B86B8CDBACB,SHA256=BBD03F2BBDB317D748CCBC80D7ED48BE61A2DD53006C94582231084AC77A0A07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068366Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:57.419{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3EE8FFC72DD70A66D9A7AEB853A44D,SHA256=2E5D12F0D74ACEEFD0E2C82BF27B886BACDFE548F376603D866102E877D87EAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030382Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:55.124{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 154100x800000000000000030401Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.997{53AF6CEB-59C6-60F5-4506-00000000E601}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030400Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.808{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE462DE991858879E5DB11F955972C8B,SHA256=A4DF7C9CCDAAB234A64AEF9FF59CEB4C881DDAA24B61F0565EF1943AB8E76B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030399Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.793{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8F0E4AC2743DFB816533C6DB5097247,SHA256=498C372C49159495108AC39A28F9E7286A0D932067AFE736D5FE0DC70A410473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068368Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:58.439{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0219D924C8C4FB36C3FF784D1862B5A3,SHA256=095A74AE82424C03F8A646C487D65AF4B50D1A58FCE685F2157AFFC550516E22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030398Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.011{53AF6CEB-59C5-60F5-4406-00000000E601}1956584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000068367Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:55.990{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030429Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.871{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FAFC55F910140675BACDED887C76B9,SHA256=7DA2DBAEB4936509C4BBD81F99423DDBB5AD69F5F8E5937FD121AF71ACBCD45A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068369Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:53:59.457{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EA13E43ED79E46FB224B965DA91011,SHA256=9AB0B9C34031A4615F90FE3D1C3B87816132654611CC4DC9639805243325A166,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030428Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.683{53AF6CEB-59C7-60F5-4606-00000000E601}24402544C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030427Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-59C7-60F5-4606-00000000E601}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030426Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030425Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030424Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030423Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030422Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030421Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030420Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030419Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030418Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030417Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-59C7-60F5-4606-00000000E601}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030416Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.496{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-59C7-60F5-4606-00000000E601}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030415Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.497{53AF6CEB-59C7-60F5-4606-00000000E601}2440C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030414Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:59.214{53AF6CEB-59C6-60F5-4506-00000000E601}16161700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030413Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-59C6-60F5-4506-00000000E601}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030412Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030411Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030410Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030409Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030408Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030407Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030406Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030405Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030404Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030403Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-59C6-60F5-4506-00000000E601}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030402Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:53:58.996{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-59C6-60F5-4506-00000000E601}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030431Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:00.933{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=873FD868BA3F2412DF8586E1D4725C2C,SHA256=4F56913B1A9A0337CA7C451AA0E6935DFE9A521449986FDA33B7B49B68584874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068370Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:00.487{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7619A125E5125D69628838FF7365470E,SHA256=DAB07620B0966ACCE0C439D8CCC64A91675C851C6D0782F67FE907ADC3D06378,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030430Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:00.011{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C7A6C221F56414169C8CEAE430FA427,SHA256=7BBDBCECB40F07B63F12F9A778212CC157C9E62CC849EB09337DAD1A16418C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068371Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:01.518{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DD12AAD4E7919A66DE862111EBAF43,SHA256=59C1933785B6A45DFD3C166A335CD37D4F9708CAC195018C9559EF351642BA74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030444Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-59C9-60F5-4706-00000000E601}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030443Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030442Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030441Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030440Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030439Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030438Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030437Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030436Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030435Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030434Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-59C9-60F5-4706-00000000E601}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030433Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.230{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-59C9-60F5-4706-00000000E601}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030432Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.231{53AF6CEB-59C9-60F5-4706-00000000E601}1484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068372Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:02.555{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8E9741732C243BC17E9287102C509B,SHA256=3C6EF0B869AC64B0692E5B8303BFD5544C9FD4BF5433CB7D6B63772DA3618C72,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030447Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:01.031{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030446Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:02.246{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DEC3CE4BA6ED4252AB21438BBB4D038A,SHA256=84D3832EE51BB2A17AA2CB7504D2733568D2316CD22C5F5EEE137BCBB42C5553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030445Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:02.152{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9CDB68720939CDF35B981302D891542,SHA256=D54E823CAEAF6CF17FA40043743C90D6D6F39F1CCA951FCF44A82223FE01F8AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068374Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:03.586{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E52C1BDB97D18FA6983BA7503DEDD8BB,SHA256=1B12F890F2444F481B69E0FA77915D89093BFDFE80455EA811B1B045FA50499A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030448Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:03.387{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1ED3D772C1187FAD0558676F89AA6A,SHA256=305D4880115A847944B4635FFBD9AC19AEF9FDC9AB4B6F2FF6548A9545B30CBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068373Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:01.103{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65274-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068376Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:04.900{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068375Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:04.600{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE9FE2CA89F0362CF78C317DC71C70C,SHA256=C6845E9D9C565C4A7F2D1A2A64769A710CB7A865AF03494489DB1EAF769FEC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030449Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:04.621{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6F3F49A85336054C221D9825BCF273,SHA256=F2DF293DF983537A9813AC679C709BAB91B522840E00258BA3861068D94BEEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068377Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:05.633{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57CC1593A35C8EEAA65DB4C9E729390A,SHA256=652504899FE18B463B27F96FF35C66EAE2C1F85CAAF510E6BCAF7820AC34BEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030450Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:05.637{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D34E7EE49973F8BCA28A6F85A536E0FB,SHA256=67A450361F2E9A7DADE50A269D240719DD838F56013952EEF567A917F4639B09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068389Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:06.653{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D36BD9A9C1B549751B93F844E31A959,SHA256=17A66BDCEF5CD7E3AE911468DA75BF443BCDE4F71B4A64A9D98AF5FDB5E71AC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030451Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:06.871{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8C32743CF929F3065C7092D9579D35,SHA256=24DDC56B688748AA202EA12C7C1B8B46C4E00046F87DAE2BDF24B9F724E51E19,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000068388Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:06.468{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000068387Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:06.468{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00858035) 13241300x800000000000000068386Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:06.468{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c84-0x031b5f51) 13241300x800000000000000068385Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:06.468{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8c-0x64dfc751) 13241300x800000000000000068384Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:06.468{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c94-0xc6a42f51) 13241300x800000000000000068383Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:06.468{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000068382Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:06.468{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00858035) 13241300x800000000000000068381Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:06.468{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c84-0x031b5f51) 13241300x800000000000000068380Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:06.468{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8c-0x64dfc751) 13241300x800000000000000068379Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:06.468{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c94-0xc6a42f51) 354300x800000000000000068378Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:04.817{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65275-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000030452Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:07.902{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36AD5EDCD4BE6BD91AC8DDD74A38C36,SHA256=FFE81DB7EE87A44D6B0C0379FAA3DDDA85D7C56850A720F2157B4F4BD6A2AA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068390Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:07.653{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EF88138800190B69486F6C3E574F4C,SHA256=AD12BCD32448A83E83199229E9F1F597E8F784B2C3C6E8F70C61D5CEB073813F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068391Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:08.654{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF27D5D10434AB7BFB312AB6D50DDD59,SHA256=A1171877D275EFB9A0A8975AE5509E92C49A713ABA66B990CDD795C17B55E1AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030453Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:07.015{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068393Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:09.668{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBF020763FFBE29FF6E26FADFA984EF7,SHA256=66EA408C4D085B182F797D0AFDB0892D6F6FF31BE0CB6C5F13F02D8A7E7251E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030454Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:09.121{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=647813EDFAFF8D2060A61089C30D584B,SHA256=3A77875B47E065D77415D91B8E8E9C8532AF0FCD78B1244217E090F73830BED8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068392Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:07.017{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068395Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:10.683{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6483909A9DC6E147DD873554A6AF7FD,SHA256=C892FAD20A1659056D62690353E861316AA3D6FAAD2D496FD28EBCCA9E350782,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030455Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:10.355{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A43F30E40FB68354CE3CCB6B603419,SHA256=5FD156B38AB5442C1EEF8CFF828003B0505DFEE37527F75D125A70A3DA6B4989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068394Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:10.052{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068396Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:11.713{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16395993C5A0B9446C63C698547B0386,SHA256=640FC8F8DC252AF253532327AC49A0F1973ECD2AAE45F669A6A02335C857A563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030456Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:11.590{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4667617B4C8706439B65BEC2D0A53C8,SHA256=3B080A2B479946A52797964E81DD5D345BD9332B5F8CCC305D53369A542D5FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068397Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:12.730{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E0547A2E16F486C19842654A819EA0C,SHA256=B1184788B811E7D7198DBF8E64ADC54A4C1CD8AE07A15B4322E379491C5BC4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030457Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:12.637{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00A8B1F188099EDF01BF1B19FDD5F7D,SHA256=175C7CA512F5B86FA4DDF8C99DB5BD13C359DA85EC0143033E446F6E7BF6279C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068399Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:13.750{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4750D363422CA19AEBB6EBA2AE5F5E4,SHA256=7190456B83187A54538DACCCD05B6D6C8C8D2B3131D24F2285BC219C87A30698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030458Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:13.668{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=004FF55294C582C2BAAA4F304C4D5BA9,SHA256=6ECDF1F6B731AF062423E8421A5AFED4B30BB8A4118A33919DB8384FF2F9D6AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068398Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:12.113{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65277-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030459Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:14.887{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508CA32585AF05D290C67B2AEBD49F26,SHA256=2ABC426B046D9A9027F4D8B958447D1FF43A0DB3F0D3EF5DC2E528F080F68F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068403Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:14.780{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8666B67FB3E008FC97046C52C951428A,SHA256=0DAC816C0BF02A570BE8B74315ACC41A1C2F12ADF2F275764FF387D08AC381EA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000068402Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:14.312{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\80A749DD-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_80A749DD-0000-0000-0000-100000000000.XML 13241300x800000000000000068401Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:14.312{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\288C719A-D921-402F-93ED-77A6E8F040BE\Config SourceDWORD (0x00000001) 13241300x800000000000000068400Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-SetValue2021-07-19 10:54:14.312{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\288C719A-D921-402F-93ED-77A6E8F040BE\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_288C719A-D921-402F-93ED-77A6E8F040BE.XML 23542300x800000000000000068412Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:15.795{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6685461810DCA2671DDA2A190157AD,SHA256=D78EE6A8EE05CFB3685506B6635E8BB1B1E7E971ED27EEE5892AB83EAF5D15C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030460Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:12.984{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000068411Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:14.260{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65280-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000068410Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:14.260{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65280-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000068409Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:14.252{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65279-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000068408Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:14.252{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65279-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local389ldap 354300x800000000000000068407Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:14.230{43EB4363-37A7-60F5-0D00-00000000E501}884C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65278-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local135epmap 354300x800000000000000068406Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:14.230{43EB4363-37B7-60F5-2C00-00000000E501}2908C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local65278-truefe80:0:0:0:f105:4095:771:5c2fwin-dc-876.attackrange.local135epmap 23542300x800000000000000068405Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:15.364{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED313B13927F9EB29EA8FEBAF2360F2E,SHA256=45ECB7C7B75BF5A186425CF6F6B8E9F81F4D42707CF8EB01CE0DD2CCFB9EE38D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068404Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:15.364{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9AFE47D5D0D942C1ADE137240836CD16,SHA256=1BF0B5ED1625577362975811A0A516292F3274A039CEB016541D3590347C8ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068413Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:16.810{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153A6C3D4511891C0FB6F5758E6F6FB1,SHA256=F73A9DE616D7DD37EFC9D8C395B67C620FDBC41FC6056C0642AE3D940ED5145C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030461Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:16.043{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63DDB46B5B54C2D0DB5CF7AAA37CDAB4,SHA256=FA36ED23BA2B5620D809EB1D92012A88CFDD532C3AFB34158E80DA34BA4CC201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068414Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:17.826{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7472DCD49B75F86442145A96276C240D,SHA256=0AAC560453382A0DC8AE07F3C88E5AE4FCF52858ED8FB90734DD4F5797E301D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030462Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:17.137{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BB6DF4A610E40A80D467684E08DCD63,SHA256=0048849717591B10F695C2B031DAA234F4B61A31FA09F6D7C69B8CED75726D79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068415Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:18.845{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767E54810AB25AA35BADCF02321101C2,SHA256=DE63179F7B6FCA8192318A66747290DCC1A94B8123C321333F49883E87F77F37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030463Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:18.277{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5599CC124168040726B5CF8657C825FF,SHA256=9339BCC3AC8550229FB2239C633007E2908948FA692491EE9BBF2960685B177E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030465Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:18.062{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030464Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:19.512{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1105331BA9786AB98E4B8C905FDDF7,SHA256=41AC8955D776FE1F723BF9D12C43072BFE69024928EDEAD993815CA4F6D0ACEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068416Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:19.860{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A398096DEF51B4EB406B26EBBF71A5,SHA256=8498F9BB2AB1A3E84E80790C4B6C3B3B3A8179715DADF5ED51C00C616142574F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030466Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:20.730{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25653CED9CE9685B16E6D599DF7C5A89,SHA256=B141E023D8B003BD9F93C060FB99E5AF3923AF472A2F2C0EDE6E46CF51DAB2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068418Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:20.890{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAADE8551F6FA37081793926F5EBDABF,SHA256=33D9DFACC497305E4F5F6DA5E845E9C56BB93F33617A265938DE624953B372F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068417Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:18.109{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030469Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:21.746{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101EF0C854EC0796B15EFAD24149789B,SHA256=2B77FF0A366EE5630E23AD5FD0A255D7716B29B93290A1061FA7EFBB7353161E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068419Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:21.905{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AD7DE734CA5D2E30044FA4D689AFD63,SHA256=00AD415E6D3D250D3F8E89E76962B65379DF2DD740C0CDF7B70FF5DFDC622E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030468Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:21.559{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030467Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:21.012{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F796D05BC1E6D5EBA9D753A762FC19F9,SHA256=CA0C433B0B53EE90B3502BB0246CD4C792ADFA71C0CCF41FFEE7D972646AB871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030471Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:22.969{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77BA58324E46D36EB62784902796444E,SHA256=55296BA718808DC19394A4EB4E724DD80726E1B13FCA1D9A3276B54AFE689200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068420Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:22.921{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC6DDD6832A51E097B285CC7DD482A7,SHA256=E9AA97F2FF7F9D8DCCBF9B4E44989BA998DF02EB25E1F75A81413875EC5FED4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030470Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:21.422{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000068427Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:23.940{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16415B7EB95E59767C7D14F2F41F62CC,SHA256=4518D631D06A7126D2F24945555EF33038513F66E348A3C52093E00EB366D767,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030474Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:23.610{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39BF-60F5-1500-00000000E601}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030473Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:23.610{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39BF-60F5-1500-00000000E601}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030472Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:23.610{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39BF-60F5-1500-00000000E601}1184C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068426Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:23.141{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=17D363319A1A491668C667CFD7D4AD79,SHA256=C8916121A03966624D4860895A12D2D1788B01D79DF6470815355E92059CF2B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068425Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:23.141{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=9CA9615A8EA4D78B8BD9AC522E2E45DA,SHA256=0D6AC332E90F3F51E397C2DB9AFBBAA5CBFBB9276D132E782B6DD3C8F7FE8E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068424Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:23.141{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=D73AFCE2120ABAAC48CF77D93EA7B577,SHA256=DE07FD3E32D66CBD59EE11464D7578A4B0F3A285EB7821BD11CEBB487A8537BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068423Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:23.141{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=C48440EE23C74C55C1BB17D13725087F,SHA256=E54E15676EB20B69CD3CBD0FEAC963972BCAA36E8CE65E3F11C053D88EA3942D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068422Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:23.141{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=D07FA162B81A7253232207FBAEF8B4F1,SHA256=1E671B9D917CD5A721B2881C83A11730DFAAF392FB0271847FEC5BBF93099F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068421Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:23.141{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\y7l8cnva.default-release\datareporting\glean\db\data.safe.binMD5=8F78C25941CA7645C42B86D9DF0D6572,SHA256=5C029355DF745CBD3B4B296BB98AC598B99276453F55F47D0807F48A859D60F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068429Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:24.971{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF0DC908EF82664BFEFA1D4AA9EA301,SHA256=FDAE26DBDFC5CAC0AB3B19158BD4D72D1C8EAF5DE9FB55E19BF9D4575C723A72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068428Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:24.786{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0A6C815E5914ADF80015FE1926EF8E55,SHA256=74F617D057AD7AA6A2A2A22F7C286E455A8FAEDDC96D66682C54D255E8EFEA5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030475Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:24.110{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=013286CD210C3ADCF6D26182AE4A0393,SHA256=48F2934A8D85D53622E4D79E6857BB515B26EF861A05AD1833940869D9EA4107,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030477Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:23.973{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030476Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:25.126{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BC30333F9F0CD88220BA4F914674C2,SHA256=16B8F34A6944053EEAA0645A8944D7F62B2F499D53F8C703DE0EF2A0D62B0CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030478Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:26.344{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468D02E308DF736E71F741A5CCC50878,SHA256=668CE446BD9DDB374C293B73CDEE9D247B7407BFD2E511C9DA4DAAECC5FD56D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068431Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:26.018{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9060195147319B7B5C86A5985C32FB55,SHA256=843871066CE333D3BAD20311D6A75978DFE9E007109D989EAA976EA8F58BC9D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068430Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:24.004{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030479Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:27.407{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBEE9BA92BBEE95B849575AB623F444,SHA256=6A80D58D07FA8A25DE814EB4500DB47475725E68BDBE9BF46B3661E10053BD55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068435Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:27.821{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a10|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000068434Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:27.821{43EB4363-55C5-60F5-8808-00000000E501}46324748C:\Windows\Explorer.EXE{43EB4363-55F0-60F5-A708-00000000E501}6340C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+554f1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF8018105B8A8)|UNKNOWN(FFFFDB38086A5B68)|UNKNOWN(FFFFDB38086A5CE7)|UNKNOWN(FFFFDB38086A0371)|UNKNOWN(FFFFDB38086A1D3A)|UNKNOWN(FFFFDB380869FFF6)|UNKNOWN(FFFFF80180D73103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5927b|C:\Windows\System32\SHELL32.dll+dac2a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068433Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:27.821{43EB4363-55F0-60F5-A708-00000000E501}6340ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF85d3a4.TMPMD5=94EEA79D9A0975F30553974C8581CE7A,SHA256=AFE916DCF97485612B2C6F9FD400B0B135E5F27E2BC7595DBB1C6A60195E967C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068432Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:27.037{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CC8D43EBDB27A7AB6416306355969B,SHA256=6C450E71B6F6C02779EE477299C61DEE0FA4C25AFFC6EDD516C09107D5B7F865,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030480Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:28.626{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E55499665166B1A179BF330034BEFC8,SHA256=E72434F061735631E8A131E6F30CB0B7B13458D1CCB969CA7047DEDC77EB1F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068436Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:28.052{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E6F45764B724F8F197B325DE35C61FC,SHA256=7E83187C925591DD8008934D5091433FC4D0C86ECCD8CA526A6F2FA0BEB59FC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030481Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:29.641{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CB2177DA1452CB9B3EECB7C4A9B93F2,SHA256=B79338EBA3F42359C17F138EEA2B2CA73416BB268CB87A5A448E62376B6E76E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068437Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:29.067{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C62D70D6347889140D7670532DC2FA9A,SHA256=5B40606F6C22A3E47FA768D38600921AC901A0A761BEECB55BEF0A7521F9B4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030482Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:30.657{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE7D1ADF94F433AF3D0B437419959714,SHA256=231680D1275E2065AD15C4AAE4DBEC9EAD02EB1A74B1182326343E701BDE31FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068438Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:30.082{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390DA272C058B36E97FF56D55035180E,SHA256=56FC251F7E9C0E813BA081C88FC08EBEBF8445652659E38D99C30A5C088B36AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030484Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:31.876{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029A26F94B45233FA732CC08CBD6D676,SHA256=84BCCB21E6E3BCA80ABEC0CA67A19263DA36EBE793A234E696DDFEF21E107DFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068440Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:29.146{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068439Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:31.097{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D4789DCC1670FBBF765FC49261CA508,SHA256=18D336428AF431E790FCE1DFF71CED7155339E98D87BEE098C2586E77CFFBD5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030483Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:29.910{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068441Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:32.149{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF40EE79D4C63A814F8AEC49B99971D1,SHA256=D5C1B8E3DAA394A359597408B3309191C608C8CE961BAB8D441B0F260F645D63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068442Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:33.179{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C88B56910C3646925D44D77540DECC4,SHA256=4D07966C4509C560A22BD3FDC4E7B103067FE84418E5454F06E14E8BC0EA4DB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030485Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:33.110{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C68AC38BA3A2C2005350646A03B558A,SHA256=8A0B4AFBA008E16433F74A163C573068996DB0B407C895EDE86C41BB4AD44547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068443Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:34.195{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87A7D34F568FE70307F17D1357E34995,SHA256=13307B84DEF608CC2EEB96649E9ED99C82E3CE677D38D7F0517773D920870E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030486Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:34.251{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8064B64E2515443033CB22927DC6CFD8,SHA256=D486E682B76B01290B4F08A930B3D64900D322BB0B4D76561A68D2ABB17D1C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030487Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:35.266{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B91BF36548F3E65F94A82066A2288C5,SHA256=01042B8103061B0A73C7E4F8C49A7675200494EF2A7BC566D3C499580BDD2377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068444Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:35.211{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FBB54ED208AA467F303E961A64CA2F5,SHA256=87496D36894796EA62371B2FCE2DC1A2BD6F018ED0B8A80C91EDF419DA2BB658,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030489Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:35.051{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030488Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:36.485{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7348CEF5C2BAB596FE076B17ACD0D3,SHA256=4244A196D601F3F34379025B9EBEAEE5A7B829BC4CE4C1085E3D62F9E909C457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068445Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:36.230{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6366E5A009578665C6B2E629B6105BDE,SHA256=344921969D31DFB70FEB0F3BAF2EAD4BF221233C44C569066D66AE3352C0A842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030490Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:37.721{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF36AFFD8EB5861622D60979A77EBD5,SHA256=F958434D651C04253F1922398916E3CDD94454EC340FEF99481872596488BDAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068447Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:37.244{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B46B894091C438911CD0AE92BF0617,SHA256=281D5BCCCCBA7777E4610A67EF6EEEECFEFBA4798404ADCED9F55DBA846C9EB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068446Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:34.995{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030491Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:38.957{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7AB213DC93FB4F6AB31F353C9DBF376,SHA256=FD34B0975C73683C3CF1E730F3872FFD4ED6B09B6B28B96258A613AA540FC63A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068448Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:38.274{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CC8F043E82F660F6E6D5F947F96C4F,SHA256=B3FE0767E1E8284FE411670AE1480F2F6941CA112BE9FD894B4F78A19D384F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068449Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:39.289{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA6BE406AA95A5F647943A41783FF625,SHA256=80660659ECAF8D9C31BCDF041A1966906FACF81F3459898F2A196F4251155293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030492Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:40.194{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6126BE4CF97EE4E5D66AAE8F99B80815,SHA256=920F936AD4A340FDAD4741BC8CBEDB373C0ABAAF6A194C9D718AFE723ADA664A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068450Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:40.306{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F39F3891DDDA4D22E2B87D4DDA76AD2,SHA256=639F040AA6977005880FF90D364A457C6926B6670DC48E3324D369AF7AAB2111,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030494Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:40.135{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030493Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:41.319{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AA91479E5BAAAC9392E3A29A2FB3D1,SHA256=092C3709A5B6650F73486247E33AF877FA152B1014D6F32547E700CCD41FF028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068451Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:41.325{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068739CC22A54D32603F7F9D43DFDFA8,SHA256=F82E56AF2ABE313C43B0380664AC5D31D2E9CED51807AB25291FB7EAB76BADDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030495Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:42.334{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94D4575F6260106C82159A7805728C0,SHA256=1140BD1CD55136D4CF4EFF6B3689D9A9A830FAB2F767DD1EE65BB57920CB1FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068453Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:42.339{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17CC9B8A5663B7E28AB461F4556E77D6,SHA256=F5F8A3DE2579C3B84DF5DE8697B6A25BB424C8D539A6CDC7959A28FDBE92663E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068452Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:40.090{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030496Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:43.563{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA92A556967780A2137FBC1323E6931,SHA256=44E97C690BAA285B05AF44FDBE44CBC7D48BFD8EDD6A4B1D8F5CC82D30B15D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068454Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:43.354{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51CFDBE5A0360239FF81B2627F48E127,SHA256=F0FC81AF76E757F24846AC674126582BEB4590E12268496E18E0807390E537B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030497Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:44.798{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7339030E3EA264171A2094F9497B230,SHA256=E3BF404231D7D52530884070197F0A7BFDFCC38FE9618BA22EA683C8FBEF2080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068455Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:44.368{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EC4A6211D241B0D7E9F4D34BF2F26BD,SHA256=52C89043B3C1F1A659613543AE4A147E7ECBA7DF06233C91308B582A422BC791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068456Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:45.383{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE3A11CACA22DE048D357A4B6127D3D,SHA256=5FEDEFEBA9965E610695AE1201071266EF77CE783EF587EB200987E6A13B2DDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068458Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:45.169{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068457Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:46.401{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BD6BC4918FF45157614D89B38DD12F2,SHA256=1C371AF71798C73E29C7594546D63E2647E11A7DA8870D23A87E6F3CC8D003DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030498Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:46.032{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F95D336484EF6415689D3BCBBCA74CEF,SHA256=67B5E48D97CBAC6AA6E89D100CC699320AF868A6193042AA5FE0D9F1321EE795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068459Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:47.434{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F3001BACA61C1F1EF964C6012B0ED59,SHA256=8D4108B84D510FA81ECAD26BC2B655406E65889CFE5A6F4D3628BE84769F412A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030500Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:46.051{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030499Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:47.142{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82FFB80D2AB5B0832CD1BBF30E8EF4E3,SHA256=17CE606EDCFA9B8B55423FBC8ACF3F2F4E5739C0E1997E85251C8EE8AFB3171E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068460Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:48.464{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4DF2C9956742E4A4A47BED295075063,SHA256=4EB83D3712CD3698CF5C76F13783BA639FB8E7512B563B7DAA1536646F289DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030501Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:48.360{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4EE6418C0989793F729155090C1CF75,SHA256=297A065A618C1DCD62C2347760FA5BD540E82DA76AC9F7D698317D4031492338,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068461Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:49.478{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E51317A75E42D17BCF2119D19223C8,SHA256=534D71C8B6E1240B3A29D8262B2E9E0F6C2303AFE7D277C9A0E132E00A61C799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030502Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:49.423{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F12945868CC12A19C5142CA5271310F0,SHA256=CD82B35D0D664717EAB77C9BD7714A0425269333466DA9E720F69F4237B187EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030503Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:50.642{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F371D68E0ECC86DEE1EBD9BE398C5B,SHA256=7DC39B3F90384D9C462EDFADDC1434521929E09942B344F730EFF5B1EE6A2FC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068470Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:50.499{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0FE0948EB481B9BB2E0F1F0776125A,SHA256=360818C04D07448E469A7BFB58F04E51CC49F5438493AB5FED0314CD7A64C1B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068469Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:50.346{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59FA-60F5-0B0D-00000000E501}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068468Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:50.346{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068467Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:50.346{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068466Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:50.346{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068465Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:50.346{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068464Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:50.346{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-59FA-60F5-0B0D-00000000E501}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068463Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:50.346{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59FA-60F5-0B0D-00000000E501}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068462Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:50.347{43EB4363-59FA-60F5-0B0D-00000000E501}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030504Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:51.876{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D63944179AB59CB9F894D01914953C,SHA256=CF6E6C85658B2965B3045CA12072885CFD1BDE816AFA0C14FD34905C1186CC0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068490Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.876{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59FB-60F5-0D0D-00000000E501}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068489Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.876{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068488Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.876{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068487Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.876{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068486Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.876{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068485Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.876{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-59FB-60F5-0D0D-00000000E501}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068484Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.876{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59FB-60F5-0D0D-00000000E501}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068483Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.877{43EB4363-59FB-60F5-0D0D-00000000E501}6248C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068482Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.514{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E4F4CBBBC81F6D7AEBDD1EFD72891D8,SHA256=270F90A1D93F13B198F039C17BC14417D10F256DDDA56121872F4118B7F73696,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068481Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.445{43EB4363-59FB-60F5-0C0D-00000000E501}45162472C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068480Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.376{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=359AFDC32EDFA1936ABEAC1B6DC505FA,SHA256=6F09F3DACB4907532EFC9AD22B6C5B16258D14599913D1F5D3D920FCE994D693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068479Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.376{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED313B13927F9EB29EA8FEBAF2360F2E,SHA256=45ECB7C7B75BF5A186425CF6F6B8E9F81F4D42707CF8EB01CE0DD2CCFB9EE38D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068478Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.214{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59FB-60F5-0C0D-00000000E501}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068477Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.214{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068476Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.214{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068475Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.214{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068474Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.214{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068473Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.214{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-59FB-60F5-0C0D-00000000E501}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068472Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.214{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59FB-60F5-0C0D-00000000E501}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068471Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.215{43EB4363-59FB-60F5-0C0D-00000000E501}4516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030505Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:52.985{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A52FBAE401E677031F3A78957CFDCF2,SHA256=5330772BF0C86E1EF6E431424A86D86ABD1198A23E11F5E7B6C733C4AC461112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068492Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:52.894{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=359AFDC32EDFA1936ABEAC1B6DC505FA,SHA256=6F09F3DACB4907532EFC9AD22B6C5B16258D14599913D1F5D3D920FCE994D693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068491Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:52.529{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21037374BF3AF1C8A8AD83577CCFE9E5,SHA256=AAC4BE0B184CAA81E66B3027FE16763F281CA3B7070C4843027230ACE6BF4D7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030506Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:53.985{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B925C0605B5A5DFF2EFADC1E5EF75FDD,SHA256=9412D9922FE66D9ECAB6CC32388D89B877044ACA49AA0D0BD314E3A302DEAA21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068494Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:51.009{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65287-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068493Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:53.544{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61797CDF615FBFEDEA95CC65E6615CCC,SHA256=8D10AD6E273B698FDD8013660F0078B8B9DAE6413C3641CC9631AFFABBB02B9B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068514Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.843{43EB4363-59FE-60F5-0F0D-00000000E501}79364836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068513Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.758{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1428517350FD4D8D36E5C4D4D71C1E55,SHA256=ACAA8B77E51D35FA662D8B24AC0B34BF6384AA662A79C988D5E3F1396B674B8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068512Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.627{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59FE-60F5-0F0D-00000000E501}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068511Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.627{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068510Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.627{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068509Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.627{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068508Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.627{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068507Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.627{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-59FE-60F5-0F0D-00000000E501}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068506Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.627{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59FE-60F5-0F0D-00000000E501}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068505Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.628{43EB4363-59FE-60F5-0F0D-00000000E501}7936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068504Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.558{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E8F6F1EE79775FBAFE902680CA0AA1F,SHA256=67E92B667313594BBF55F17A1C8716F41546C3A033AB0C4363D81E9C8C737923,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030507Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:51.973{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000068503Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.212{43EB4363-59FE-60F5-0E0D-00000000E501}74686440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068502Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.027{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59FE-60F5-0E0D-00000000E501}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068501Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.027{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068500Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.027{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068499Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.027{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068498Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.027{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068497Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.027{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-59FE-60F5-0E0D-00000000E501}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068496Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.027{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59FE-60F5-0E0D-00000000E501}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068495Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:54.028{43EB4363-59FE-60F5-0E0D-00000000E501}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000068525Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:53.676{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65288-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000068524Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:53.676{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65288-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 10341000x800000000000000068523Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:55.757{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-59FF-60F5-100D-00000000E501}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068522Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:55.757{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068521Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:55.757{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068520Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:55.757{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068519Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:55.757{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068518Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:55.757{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-59FF-60F5-100D-00000000E501}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068517Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:55.757{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-59FF-60F5-100D-00000000E501}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068516Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:55.758{43EB4363-59FF-60F5-100D-00000000E501}4472C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068515Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:55.573{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4703510064D8E9F17C12C1923F54BE8,SHA256=BB03C662A4E40B854C5F550540547EE5A25B9934C7907B6DBB13C2662A138A74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030534Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-59FF-60F5-4906-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030533Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030532Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030531Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030530Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030529Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030528Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030527Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030526Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030525Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030524Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-59FF-60F5-4906-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030523Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.829{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-59FF-60F5-4906-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030522Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.830{53AF6CEB-59FF-60F5-4906-00000000E601}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030521Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-59FF-60F5-4806-00000000E601}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030520Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030519Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030518Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030517Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030516Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030515Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030514Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030513Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030512Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030511Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-59FF-60F5-4806-00000000E601}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030510Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.329{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-59FF-60F5-4806-00000000E601}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030509Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.330{53AF6CEB-59FF-60F5-4806-00000000E601}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030508Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:55.126{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4436542C27CDAB81CD7BEF150751736F,SHA256=69E7EA4DD4CF9430C487434CD58E65231E7AF0A3E5E45DB85FEE156A02FE6923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068536Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.791{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D4AE399E4A74D11107EEAD1D8BE3453,SHA256=27713E906D7B132BE923CAAB94A8E15B67633D6F007038931078E8F9AF61C626,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068535Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.641{43EB4363-5A00-60F5-110D-00000000E501}81247220C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068534Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.594{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F228F76CD4914598187E580C07E07CC,SHA256=1304770F642DCFF8D73FE9C93C412363ADE2C7731855B5AA778E80E8B62EF888,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030551Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.501{53AF6CEB-5A00-60F5-4A06-00000000E601}31242652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030550Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.470{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D8CA50D47E75D18638E50D66248B00C,SHA256=F6E986F80DB0B90EAAFBC2BBE36FF99E033624D1DE053D05AB4AB71119A53A6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068533Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.425{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5A00-60F5-110D-00000000E501}8124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068532Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.425{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068531Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.425{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068530Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.425{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068529Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.425{43EB4363-37A6-60F5-0C00-00000000E501}8281060C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068528Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.425{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5A00-60F5-110D-00000000E501}8124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068527Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.425{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5A00-60F5-110D-00000000E501}8124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068526Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.426{43EB4363-5A00-60F5-110D-00000000E501}8124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030549Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.345{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B17917344B669D05C9B06CD116A1A63,SHA256=1306DDD46AE11DFFEA2DFAE4AC4DF0A1AC08A73EE7C8FC910CA0D579DD8991AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030548Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.345{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6586A56297C96DA29562664B2644CBD6,SHA256=55E5951D19E7CF0880FE43CB18AE2AF15A238D50C57A193BB086C2DF2F8F0DBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030547Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A00-60F5-4A06-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030546Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030545Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030544Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030543Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030542Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030541Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030540Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030539Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030538Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030537Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5A00-60F5-4A06-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030536Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.329{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A00-60F5-4A06-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030535Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:56.330{53AF6CEB-5A00-60F5-4A06-00000000E601}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030565Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A01-60F5-4B06-00000000E601}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030564Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030563Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030562Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030561Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030560Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030559Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030558Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030557Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030556Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030555Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5A01-60F5-4B06-00000000E601}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030554Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.813{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A01-60F5-4B06-00000000E601}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030553Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.814{53AF6CEB-5A01-60F5-4B06-00000000E601}1152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030552Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.485{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8A398B6C7505A1BAAE3F1ADEFC6385,SHA256=766965FAEAAEE408160F701A31DB0CC39A8CCDB2E190FBA942196DF09ACFFAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068538Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:57.610{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D65267E79B1CD43CB96EFA84461E19B,SHA256=739A2BCDED815E7BA4F2A81DD65AC24B068797855BE67D475F62E374B7150A1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068537Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:56.105{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000030581Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A02-60F5-4C06-00000000E601}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030580Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030579Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030578Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030577Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030576Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030575Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030574Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030573Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030572Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030571Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5A02-60F5-4C06-00000000E601}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030570Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A02-60F5-4C06-00000000E601}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030569Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.892{53AF6CEB-5A02-60F5-4C06-00000000E601}3624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030568Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.845{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B17917344B669D05C9B06CD116A1A63,SHA256=1306DDD46AE11DFFEA2DFAE4AC4DF0A1AC08A73EE7C8FC910CA0D579DD8991AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030567Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.548{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=444376958D876D280D0228B14B84E189,SHA256=2DFE4D8AB9C777894E42B993A6E27C3229D9A3EBDA783B1137F23C7696D558BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068539Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:58.641{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B91DA7B78B02FA8B653D1A700B2B847,SHA256=5C8511050F8BA8DDD2D0D720312E99421453250BA3CEF515BF10E8AAB8F8CAA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030566Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:58.001{53AF6CEB-5A01-60F5-4B06-00000000E601}11523104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068540Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:54:59.656{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C660006C3D459A213063BF7EAB9CD4,SHA256=68DFA1C22C822BA7CF8DBF2702EAAC85D7A7045D2D45799E8CEF69B78886F245,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030599Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.907{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA25D0F6EFD490986A2D263CBDFC007A,SHA256=AA9953DB9383ECD666BD34B0752F09F79C008E3AB93E3C372CB9DC2561B6ABC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030598Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.767{53AF6CEB-5A03-60F5-4D06-00000000E601}4963020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030597Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4F17D77DA5B07CBE0B9336DC6E13BA2,SHA256=8844828C960518E117455C4D1ACBA4975D1255CDDF62A4701056FF5F3C2A1547,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030596Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A03-60F5-4D06-00000000E601}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030595Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030594Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030593Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030592Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030591Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030590Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030589Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030588Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030587Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030586Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5A03-60F5-4D06-00000000E601}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030585Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.563{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A03-60F5-4D06-00000000E601}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030584Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.564{53AF6CEB-5A03-60F5-4D06-00000000E601}496C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030583Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:57.098{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000030582Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:54:59.079{53AF6CEB-5A02-60F5-4C06-00000000E601}36243668C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068541Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:00.657{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=100614DE1712C62592CC3CE1DD734D49,SHA256=BAF70856A59FFA4DF1C230DC0802C914D969F696794EDBAA6FFA3F5819F363C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030600Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:00.579{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDBC8B66FCD59976661A6D543D233B34,SHA256=B00C3710460903C06A218F0810CDF6B3605AA2912BF36F5102D87FE5208DA6A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068542Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:01.710{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D092F6FC34E89A5DDD7AD2F0E902993,SHA256=8392F02875D05B6BC8CB7A9286470F2A04C0E58D9A49450D9DD7A822F71C46CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030614Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.579{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A637F54C8ABD13CF4054761586225D,SHA256=B29DC661B5960BA3A25B1C4CB0060B01EA444A241A2D27A9DF06301398D4F0CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030613Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A05-60F5-4E06-00000000E601}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030612Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030611Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030610Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030609Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030608Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030607Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030606Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030605Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030604Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030603Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5A05-60F5-4E06-00000000E601}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030602Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.235{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A05-60F5-4E06-00000000E601}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030601Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:01.236{53AF6CEB-5A05-60F5-4E06-00000000E601}3796C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000068544Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:01.174{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068543Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:02.724{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=563AED7C9B509CF03D572447A1C440E6,SHA256=1E0C12842C68B960A7745757F52611F75183041B7D76613157032F6C3A263E00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030616Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:02.595{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA68886FFBA5B505F900865CED50C38E,SHA256=616E9870507A1BFD71DB915CA381C36CC0E5BF0A49D4CB09F934420916B82BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030615Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:02.267{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F22F33985E1F69397B9EE5D0F68DCA3,SHA256=DB0BB997BA7A0105BB39989E4EE31186AB4126520CBFD18E75577273070F9AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030617Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:03.599{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08102476CB6D23B96449F6D1DB7A8177,SHA256=04F0BE72F663DDBEBE920C5D61B582396F0723602B6DE71332A5D53E15DC8696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068545Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:03.740{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1981DEA57F2925F5B899DE9962123A,SHA256=96EE53BA12382A165208FFDD17325D0F6C0B539BD6D634EFE5BB3CABECE71674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030619Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:04.615{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=446D6B57739E0D7F626975C3CA2D04F5,SHA256=DDDD36064FA5B37A634FECAFF9C50BE3E1094DC9BC02E769D85736F0566015C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068547Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:04.926{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068546Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:04.742{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B268B5AB871E0769FDADB7A3BAA6A8,SHA256=5A98C77160E6A48354E52A278AD158F730DC7B08395F86545FE37183CDCBE3E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030618Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:02.915{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068548Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:05.759{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B189EC7F2DF68BE215D79E74D0AA68,SHA256=D234818285BC6858EB055324F9F168EC63CDD4747B1F5C9658D9BB148862960B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030620Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:05.631{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B225D58650549A105598F9A6AD3E33C,SHA256=8184405AF2D32B6213D92D932B61613634F5AB5140AC9BDEEDEDD1982F247D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068549Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:06.774{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A93D72403BE9F54E1586B0BB6B34C8F,SHA256=04D2E089E878BD8EDAA4C387183AF40A520D5857EC8B70E77D875CE6E95A6B61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030621Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:06.646{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CBF2614F1CD10C34A9C6625EDF63E1,SHA256=68C5CABE77663A5C2A2B6E871F6B1BB15399D02FDBCDD7F02904BDD840429175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030622Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:07.662{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB271BE7227E8D0175F3BD1380FAB64,SHA256=8FAF4DB981DA8BCEF37B8A3F45CFA936BA5669BC4AD9EBC1A1B6BFEC19C71776,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068551Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:04.843{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000068550Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:07.793{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBDC6E29D386C77320A39DC54F76A7D,SHA256=1FB2D5DB2A1236F5162CE300B0DE5D53E562C5278F3AF3A3F6B16BC4F7D9FC97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030623Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:08.677{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76B1F25849E61A4440659A8F262E920B,SHA256=CE17356252E51A7D5F9C57DF04BA5AA7071D11446CBB293F724D509F6AA8A6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068552Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:08.808{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C53792D10C4C45CC40670A957742588,SHA256=C6CC2C3D42ED4964427D7FD957F6C98A969E647681EE71987A83C6D753DA5336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030625Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:09.677{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88AE8510203741A31CA8E2E3600FE2C8,SHA256=540671EA39693DC91A206FF3C669096C3497071035F47F5B7120F46F03E28701,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030624Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:08.102{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000068554Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:07.058{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068553Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:09.823{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB1C241E42ED91FB74CAB588D66C9F7,SHA256=9A2027655CDF1DBDF426A9DD514FE602FE82D38B7C09778E9B12BF5DC63039ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030626Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:10.912{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE44C3B12E558A56C89710C2B879EE5,SHA256=51A5754D43A395A6864FFB845C5A29F5B3B6171CF261F2B2BABC8718909570E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068555Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:10.838{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BA3B3B7F53D021D8121869CA9CAF9AB,SHA256=D8BEB7C68998837B001EC539C030DAA79D38700A15F1C911D1A88AC9E9050C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068556Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:11.868{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D987F64EC54D7D923A7FBF56648478,SHA256=6310BAE76133D19D195B42EFF66F160A50BFFCBA8FEAF64BB58821B4B0C7FAE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068557Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:12.905{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACDE8D5BE110CCC27870193F171FF8A,SHA256=0E4D424BE3DD1AC5D59546B8C7A2C4BBBDCCECC0C8F485E46BB08083F454B0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030627Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:12.084{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAC3FE0A60F7B0CB06A862F741C5B76,SHA256=68772CB8ACFEA8E487E4AFC9D058A1B58BFB21AD6ECD51ECF42BEC60672DE8A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068558Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:13.935{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D913CC8500D70249CED8D86EFDFA955A,SHA256=1AB05A09820A682FDC8C5D4752BD3557198E253FECCDE3306B4C1C511A1A182E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030628Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:13.099{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5B006A1EE504542E621147BE43C41CA,SHA256=E8C5B190ACAA90F8060F0FF88F01100389A5E7D9906350A1D9C864A87AFEBC1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068559Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:14.935{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4963A0B1FBFA47DD3E1CD3F56698EDC0,SHA256=14DD80FA4EA19E242C83B07B6C2A3256EF05B7B5CC396A4BCFF00452100E912D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030629Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:14.318{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED2F1E2A03E830444632A60A4D02D4F,SHA256=2A20EDA7EBA646C71C21CEAED6F358B7C01EDEB68CB931F9B58C8A85BC61B2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068561Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:15.950{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942B901D1E4F95AE2A0FB9ECCC015E73,SHA256=657FE055701AEA4AE833B2793B0DB2C07642DB81CE5139E96147A712BDEF47CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030631Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:13.977{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030630Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:15.552{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3F192FC131D31A5738548754A794DF,SHA256=6DD0E3466AFC08CADBF1902A605B406691CBB997657BDB86B35AA40DB37A7A10,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068560Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:12.154{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068562Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:16.983{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894EE238F01AA8B2B73CA3121337E0DE,SHA256=369D2E29A0E7773B8C94F236E940ECBBF84CDFAD9572FDED0FA6DB584B6D7CE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030632Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:16.771{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A42F529F5F6A631844E614C41CAE1D,SHA256=F626D3FAC747AF79C6B56E7D4BA21F42603D9C17954328D4E1C116194FD88675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030633Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:17.787{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12389DC46B0216AA04AC782846B3637,SHA256=7A587C8DA43CED2D0FEA6FEE4D00457EB6994CA62ADB120693AF65D79AF7BC44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030634Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:18.802{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874050ADCB1D7FFB7F1420FC4E14DA57,SHA256=A2D480513C0DB7AEEB0E637FC920B63DA4769E23DCDC32EBCFB3616B72CECF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068563Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:18.032{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21874E1EF0F1A4D2EB674D01AAE2D058,SHA256=A439282AD6EE5F3748898D87E923704AFAA1B1E5A4F89940CF3D93D3EC2E492F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030635Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:19.818{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A212C7425A2FE5F692A55372036F96,SHA256=A334F62F38B04B08570AEB47766230FC9423196BF6A161E99C0775D06B638E10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068564Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:19.063{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653163439E0E7D6960A84A598F9FB0BF,SHA256=FA2164835B919543CB98560E36D9AEE1084310B7E58AE5BC20947F2DD2E80EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030636Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:20.849{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA53EB3B4FD4917E6AD21A6ABC5FF424,SHA256=BE7AEFFE7987AF75EC24EF448DEF961713653807A74A8A22D3FF6B6AE71E5518,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068566Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:18.012{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068565Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:20.100{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1FDFB919C2B8E6BE1B499F04E71956,SHA256=F5B86B6652957DB476AC0CDD7E75354E6E45209F2B1546C751DB5D430DF97960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068567Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:21.115{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A10D9545B9EC9CA9B03CC51CCA1B493,SHA256=00778DD81AE77AF4E59DDF9BCD2091A83B6EF551C7D8366DF07C01E0DDCF71B4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000030649Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:55:21.677{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030648Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:55:21.677{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007e7431) 13241300x800000000000000030647Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:55:21.677{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c84-0x2ffaaaa1) 13241300x800000000000000030646Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:55:21.677{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8c-0x91bf12a1) 13241300x800000000000000030645Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:55:21.677{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c94-0xf3837aa1) 13241300x800000000000000030644Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:55:21.677{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000030643Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:55:21.677{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x007e7431) 13241300x800000000000000030642Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:55:21.677{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d77c84-0x2ffaaaa1) 13241300x800000000000000030641Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:55:21.677{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d77c8c-0x91bf12a1) 13241300x800000000000000030640Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-SetValue2021-07-19 10:55:21.677{53AF6CEB-39BE-60F5-0B00-00000000E601}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d77c94-0xf3837aa1) 23542300x800000000000000030639Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:21.584{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030638Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:19.071{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030637Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:21.021{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A4F0A5F24C9F8AEA99458C6A0A1DA7BE,SHA256=7DB349DA32C16BCCE28CA9E4775292E0E4AF9E70B77F7BDB2C84715E95069E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068568Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:22.130{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12C61911EFC3FB07826949CAC051F2A3,SHA256=59C1EC43F76B52EE5CF56084FFEC4F4A4349DC46228BCBF7A27EFCBCB3066A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030650Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:22.084{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23B0149F71D483275E32F6E1AF6F20B,SHA256=AC607D47F94721DCE573E784A9F79CCDBD51B5D619CE2FE30174594F96505F1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068569Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:23.160{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1FFFF44876BC0BE119B2B82831C44E,SHA256=65F5EAA3339D9EC0FF7C0D996434EA75AE44EEF0152B0C6FBE44BCBE2352B4D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030652Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:21.446{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000030651Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:23.145{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD2CF5F14853F52C07DA128B7A422DF,SHA256=08E8E255D5B98537E5FBF9C22A7EE8045C8FBE773B6F734D399D1FEFE0F4AC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030653Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:24.380{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9EC03442D9F4B330A869F038E89ABA7,SHA256=C206CD689FB3F283F4B1E5FB6269C94C390AA20972C448F4A48DA7DA814CC047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068571Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:24.796{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=31C0E2E5CE7762DD7DC3A138E0667935,SHA256=9D5703CF0BB3A2FEB8312EA1002208BD84A07C70F95B4CE4AC29E32F112FE403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068570Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:24.177{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7C187FBD663BA048223CE0DA363B2E,SHA256=3FCE89EC09CF14C8A689417E0A04CA8D73F3404E72C9279EA37E456BE61D9791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030654Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:25.598{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A9EAAAAC70DF7D9C14766F3ECCA6D8,SHA256=FA892F2C0844BD310B77E4209C54FC77C2F9E1C519D78CAB1F3B240C9F644231,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068573Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:25.196{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97280EBDC0796CDE1AAE5E3EDAF1A35D,SHA256=331DB40E54B59EBFEAB7C7D5768C5E1176A49938941447E1538563736366D667,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068572Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:23.109{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030655Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:26.677{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D86192E2FC0CD2948FD3162128F302,SHA256=F471BAA19CC5D2C5B81E7CFD318BE97BF8ED2801360EC508F6D5D0530C2C374A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068574Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:26.226{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2AEABAB59D2B92F3EF967FE0159D4E8,SHA256=CF3ABE226A996369E0DE961B336A8967F5DE262663D756E372FF896EDF5A4845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030657Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:27.692{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CD9970B0323F85DFDE91391E597808,SHA256=83C14EFD889F6051B84BA56758F0D68466109824D4104E7F3421D7880069E7E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068575Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:27.226{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB186DD07D1D2711F57895C25638F659,SHA256=FABBDDD3B33718B3F7F1B5C9FC8A784ED5B6012DB363670E71D6600DD57A05C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030656Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:25.039{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030658Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:28.927{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A630211A25CE6326DFD552C590EC5180,SHA256=F754005B98229691ED782727EB52CE4A2A4FBA89EC1F64A4FF241BF2FE59E8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068576Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:28.256{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3264C66D5351779B18C532FF070F4AE9,SHA256=570BDD9B86BFE4124CBED15BC5BB3213A0E7CA31E39A098A0BCC802FED9B95BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030659Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:29.958{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932AA5B4CEB0A15F1675FF644BC5DF7E,SHA256=C5405CE2B9FA21C5257B8EC6D8BCB0208E7FF569C40D82D383D69F7984799540,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068616Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068615Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068614Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068613Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068612Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068611Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D0-60F5-9A08-00000000E501}3452C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068610Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068609Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2800-00000000E501}2856C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068608Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8908-00000000E501}4428C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068607Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8908-00000000E501}4428C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068606Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068605Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068604Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068603Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068602Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068601Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068600Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55D1-60F5-9B08-00000000E501}640C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068599Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068598Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068597Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068596Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068595Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068594Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068593Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068592Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068591Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068590Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068589Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068588Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068587Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068586Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068585Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068584Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068583Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068582Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068581Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068580Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068579Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068578Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.639{43EB4363-37A7-60F5-0D00-00000000E501}884904C:\Windows\system32\svchost.exe{43EB4363-55C5-60F5-8808-00000000E501}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068577Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:29.273{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21721D7BBA93B598CD649BBE05C7029A,SHA256=CFF13F67CB46DCE99BAEABCFC833E339B778CEC8636168A35A0A597F1DA42076,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030660Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:30.958{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A976CE3C85314930E0484C957E449FF4,SHA256=B1878785231BD1A381F046FD10FF1C46F94F408491586E7FE7F68F084A69FA72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068618Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:30.807{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22D3F2F1144148591A454BF31E7E1C6,SHA256=C514E3D113191CC94D7525F2E4CE9C2E973BC956674783D57C8D8C3934761FAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068617Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:28.173{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030661Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:31.973{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331C5D70FE8DC0E842B2CDA8B8C1A110,SHA256=10D5A3A35095BD1E76F0B46DA960F9ECCE4F097ACBC0ADA6BC7ADD89ABFE20DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068619Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:31.391{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA0533D7C05B05F468DE108396A48BD4,SHA256=A4550A499026ED0872B2EB28A71452FE46D8E1F89985BC6B31ED6C1E6B5AAFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030663Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:32.989{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46AA794B65762C2827E045275376E19,SHA256=53516F818E31E801FC9B57F97FA2D76CBAB65C0EA78E558C639C9A257A83C454,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068620Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:32.421{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C694C25D87371532F1156D8FCEB6CA00,SHA256=A8E496E1F450F0351CA6054A3A8E5CE51965D12E80B01C43657D4CD6C8A54EAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030662Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:30.992{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068621Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:33.451{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F4DCDDB6A8130F70479AC3F17905BC,SHA256=5C32D9ACA68846B3B0B8592DBBBDDF5EC773597D97BBEB9B651613237DCDDE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068622Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:34.469{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1EEF6764B08AE311BEDA7BA19DBB50E,SHA256=E15FF33375676D291B195E116DCCBD144D23779D3750CAAB09FC5EE30F6CD3FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030664Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:34.052{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=909408D211B39292FC4C4098BA1B2E90,SHA256=15025AC919673515F4959A6A4841965B9D2D43F5756A3789B59663D34C624F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068624Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:35.503{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BCBEF157FD8CA565397429569D448F,SHA256=10ED405D501830CB4D9417FA657BEFC2331F0DAC3683CA87BF411BDC35AC13FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068623Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:34.037{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030665Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:35.145{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03551FC52F1C4338B3A2793FA2897F7B,SHA256=214E086584C357B5DA6CDB87C34562DC9DBB66060F2BD4B96E4385042218AF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068625Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:36.517{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE150B0E985E90F9E70B0377D68CF528,SHA256=8D685B889CF3DBE5BB718F6810FDBE3166A852B4ACEDDA0ADBA0B51C40A04D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030666Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:36.364{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A7394E931FC2409B29DA885641B1559,SHA256=BAD146B8491027364FCD57DEA6602F7DF677AB184FA6FA6AEC8BB7DE4AAD77BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068626Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:37.532{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5872AEC1A5E0BD6CB0EC577420A9B792,SHA256=758DE17E41D85E16C903B3AE09066072AB23D0C99B1E42ECC96DD34EA35F9CAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030668Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:36.133{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030667Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:37.395{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640AA0270787FE4F6165697885B1AEC3,SHA256=BB43F6B2ED3D241CE094A862373BEDCADD3553CF93C782915F065F1E9909FA6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068627Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:38.546{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD39DBAD50B2EBF250CE59A6FE5242B,SHA256=CCFFFA6ADD5599AB7AAAB891E6D7E2F8E2CCEEC5BBDDFAC5775E6B8774332D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030669Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:38.614{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03055C4EB66B18CB4D9E4638E4DCF4FE,SHA256=ABB54BC269D2007BDED400CA482DD6B013F7AA4D5E8C82F4562C226DB0E56A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068628Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:39.564{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6BC2ED85B2FF2EBB3874C9D9538DEBB,SHA256=F5D3E292D96FCD7CAC651180FB0B46F084584F3B22E44762EF25082E1FC373AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030670Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:39.722{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AF3B421EEC7E1D978B1EFB03AAC1CD,SHA256=A4C8AC5A12C466E0EF932B07A84651558F1BBCB85FA8045E01DBEDB9892AF20B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030671Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:40.836{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB45FC46912DD19EE674AB2EC0156B2,SHA256=1A461E76484F0280B3A70C08F0CBBFD9717291A9082FE7130BD6683C7F518F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068629Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:40.582{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88F1D7788056C0350E5383C6B4B0FB8E,SHA256=AFFFAE9EB790D37B54EA7D0F1F5F8DD94EFE950A4213290EBEC74D1CF49278B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030672Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:41.883{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606473F51A935C369B2BC1662856A703,SHA256=75FBA4BC5C01A10D58B4F890437101A5D445D37B13B11CA760E51FE22A921BE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068631Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:39.996{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068630Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:41.612{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=862527BB9574443C4644F4A2EC6F6E22,SHA256=C6AF4C0590BD53B9BF99E2C442E74AA80F3ACF68F2D2D63EFAEBEDE126CA1AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068632Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:42.627{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91758DBCF71FEB95D202725B2FB5C36,SHA256=DD96190AC3A627BAE7F5E1F2D6D58DBDFA08AF17A1EE4F74D31906BD42B58AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068633Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:43.661{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5360D65E7A7A5EDB437C0B92619E81,SHA256=EFA6D6C1521E0BC48522BBBA9CF10E9745122268557EBF3D06D22057116873A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030673Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:43.053{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0786833048E5ECE8AB365C4897388367,SHA256=BAFD1995618757E1A1935AD9011A7931214EA73F49C50C1F81D619D785B5C9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068634Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:44.678{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=981E92A1ED251B1BA698F1338F728556,SHA256=1F2B96E3B00A820BC417EF93619EC110DDEC65BD1E06218B6C3E17727A35FF65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030675Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:42.011{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030674Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:44.068{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA7EE0A7EB81D716D2C668074DCDB2C7,SHA256=B6B9962B55C59220D8BF869A6FF9E8465FA2F9D652647A9DC287E0748FCA5482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068635Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:45.679{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FCE1CC54CD334CFCE651FAE9DCF77E,SHA256=A22FF675AE64F6E58669E92379879E147F375A0F2260645809FCCAF023B70368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030676Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:45.084{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1C4748F51CB263E0575833288902D4,SHA256=077AD114F8505A89AACA3B3C827FFEB60EC8E62FCDC92EB2F5F8A797B3D4C22F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068637Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:45.174{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65299-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068636Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:46.724{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8292453016C2BAA7E5E46247DEB5BEB,SHA256=E8E3BC1A076363EA28DE3EF226C5A03308735C32022B3CF4ADF071CBE056CC4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030677Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:46.100{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C03790DC68834E262F8D853FEB279E,SHA256=13C552A8C52ADFB817CD959E153DFCD1311B1EC1D58CF9086E7404E06BC4B1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068638Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:47.758{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3DEA810A277AB7B7B6AF4FB5CD4F321,SHA256=2D977460FC591A7E690812C1F8EDE982853DC70283DEB33DCE8CB7844FF55470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030678Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:47.115{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB95A009D08DDD36ADC23CFC87795EF,SHA256=D2A110486B68A0FB126D3FC43AC2AB215EDA1AD037A41267DA6A9B00403A781F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068639Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:48.792{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C98C658BE193618C448026A3875CB14,SHA256=C395B2F8BF1E958A5AD25A19FB38214494C2ECCA863B23AE192B7AF1581FFF7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030679Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:48.131{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=123A0C19C3F48DC4498A377F46628C20,SHA256=0C2D46BFEB5C0F371CD6EC52E4FDEBDF87DAF67DB9348B4E5CF1249611065F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068640Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:49.822{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B77774AE70F74B618B4A8B3A1BD289,SHA256=3CBEBD10F7885E8FFF1174C6AD6C3F66AD0382E45A7B3DE52BE5CA5672190090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030680Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:49.146{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076C7C916C38FA27DCFE84C65FEEADA3,SHA256=DE9B78ABF8AACCC622F3B721FCAB7ADA9D4F1CDEF2D74692CFFA3E6DDE004CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068649Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:50.830{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3652AAB3B06B7AA2E7E3083914E102C,SHA256=B9E046B10F468700FBB82F01649ACE304A7FCF985D2FAE8E0AEEC4EF72D2CA24,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030682Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:47.931{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030681Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:50.162{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E9D0D3613FB2054E22DF1144AB3F0C2,SHA256=2A514348FE4C99CD1730A7B17B3848D8C2646648116E2E549535BFCBF04602A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068648Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:50.378{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5A36-60F5-120D-00000000E501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068647Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:50.378{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068646Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:50.378{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068645Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:50.378{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068644Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:50.378{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068643Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:50.378{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5A36-60F5-120D-00000000E501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068642Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:50.378{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5A36-60F5-120D-00000000E501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068641Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:50.379{43EB4363-5A36-60F5-120D-00000000E501}948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000068669Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.883{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5A37-60F5-140D-00000000E501}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068668Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.881{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068667Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.881{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068666Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.880{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068665Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.880{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068664Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.880{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5A37-60F5-140D-00000000E501}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068663Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.880{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5A37-60F5-140D-00000000E501}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068662Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.878{43EB4363-5A37-60F5-140D-00000000E501}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068661Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.846{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84501F61C059F074536F1D64953B194D,SHA256=C62600D939F298AE9D74DFF68C20ACF8C73CB01F8BEEA7BA9EDC0C83D6D3C575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030683Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:51.178{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A237F1287D6C45DA252252C1B2FCF51,SHA256=ECADD2DB0C4C5A12ED35AF483B4A224582D5C9B11657DA3FCD86C02608473448,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068660Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.447{43EB4363-5A37-60F5-130D-00000000E501}54887684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000068659Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.400{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB3C2A9FD9E9581B450E456029B7AF1,SHA256=790798A71E9545916B53E1A8FFDAF3F4D6F64393FF9C9A56ABA569CC020AF1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068658Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.400{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6477F278BE89EA1A41094C9C76AD8BBB,SHA256=E2881C261667E624F4A98628F6ABF67735DD9197508976AC1ED4A015AFC02045,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068657Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.215{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5A37-60F5-130D-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068656Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.215{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068655Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.215{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068654Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.215{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068653Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.215{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068652Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.215{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5A37-60F5-130D-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068651Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.215{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5A37-60F5-130D-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068650Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.216{43EB4363-5A37-60F5-130D-00000000E501}5488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068671Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:52.914{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CB3C2A9FD9E9581B450E456029B7AF1,SHA256=790798A71E9545916B53E1A8FFDAF3F4D6F64393FF9C9A56ABA569CC020AF1C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068670Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:52.861{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=161ED2B25601E501428AC7D9C051EB65,SHA256=25EBC82D75A69388A4D8EEAED6973D65AB9F1F5AE38CE03EE72233C378497093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030684Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:52.193{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676D6EDCE8B18AAF5F9670C89ED47F49,SHA256=0A1CCCA49695A53B7C45145736CB39E6D136F782D395AE98CEB9041469A4A23D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068673Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:53.879{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C55C68FABA36F910F508899FD39FABF,SHA256=A265158EA2B7F3ED9320139617F85ABA9F652F1302F285E28C132B0D8A84F82B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030685Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:53.428{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E7B1ABE9DE58D1DF4BBAC341C4FEB60,SHA256=9C3C92382D2067E04E33AA0A62C5EFA1C7D2915A4164C1341A03E2684CF2E811,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068672Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:51.063{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068693Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.900{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797516EF046B94299CB5B3F75004FA73,SHA256=667DC93F8940977048C355481E783CAA5D4F4A9BB4DCE8566C301424171A5476,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068692Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.900{43EB4363-5A3A-60F5-160D-00000000E501}25682244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030686Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:54.662{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB79CA2D50478608839FAA1F7C3AB862,SHA256=94A202A8D1AE4C3E2BA659AEB39C1DD21071C547B92B9E67025467F20F34CAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068691Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.745{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=57CBF385F0FAC911D9E9B389907B719B,SHA256=8347F45A50C7688C157B1789E233E32425E276BE55C9CB1CDB1121DD3D0F55AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068690Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.697{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5A3A-60F5-160D-00000000E501}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068689Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.697{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068688Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.697{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068687Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.697{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068686Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.697{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068685Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.697{43EB4363-37A4-60F5-0500-00000000E501}396412C:\Windows\system32\csrss.exe{43EB4363-5A3A-60F5-160D-00000000E501}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068684Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.697{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5A3A-60F5-160D-00000000E501}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068683Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.698{43EB4363-5A3A-60F5-160D-00000000E501}2568C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000068682Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.198{43EB4363-5A3A-60F5-150D-00000000E501}33923856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068681Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.029{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5A3A-60F5-150D-00000000E501}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068680Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.029{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068679Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.029{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068678Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.029{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068677Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.029{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068676Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.029{43EB4363-37A4-60F5-0500-00000000E501}396748C:\Windows\system32\csrss.exe{43EB4363-5A3A-60F5-150D-00000000E501}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068675Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.029{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5A3A-60F5-150D-00000000E501}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068674Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:54.030{43EB4363-5A3A-60F5-150D-00000000E501}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000068704Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:55.915{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24B7115994C205896DBEAB54802C4B2B,SHA256=1F569D20906BB8B81FAB1107C845545970FCD9BE110EE0C8EB7A8319798FDD5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030715Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A3B-60F5-5006-00000000E601}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030714Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030713Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030712Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030711Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030710Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030709Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030708Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030707Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030706Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030705Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5A3B-60F5-5006-00000000E601}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030704Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.912{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A3B-60F5-5006-00000000E601}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030703Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.914{53AF6CEB-5A3B-60F5-5006-00000000E601}3060C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030702Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.834{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=756D9CCE645ADEEBBBDF16C4F1E63EB6,SHA256=13447B43F3E4D4596F54C5883E34CBF1EEBF5F98EA1686D5F2C9199901BD213A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068703Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:55.781{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5A3B-60F5-170D-00000000E501}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068702Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:55.779{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068701Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:55.779{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068700Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:55.778{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068699Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:55.778{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068698Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:55.778{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5A3B-60F5-170D-00000000E501}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068697Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:55.778{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5A3B-60F5-170D-00000000E501}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068696Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:55.777{43EB4363-5A3B-60F5-170D-00000000E501}3800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000068695Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:53.678{43EB4363-37A5-60F5-0B00-00000000E501}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65301-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 354300x800000000000000068694Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:53.677{43EB4363-37B7-60F5-2600-00000000E501}2836C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-876.attackrange.local65301-true0:0:0:0:0:0:0:1win-dc-876.attackrange.local389ldap 10341000x800000000000000030701Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.537{53AF6CEB-5A3B-60F5-4F06-00000000E601}19841964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030700Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A3B-60F5-4F06-00000000E601}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030699Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030698Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030697Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030696Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030695Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030694Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030693Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030692Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030691Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030690Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-39BE-60F5-0500-00000000E601}400980C:\Windows\system32\csrss.exe{53AF6CEB-5A3B-60F5-4F06-00000000E601}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030689Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.334{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A3B-60F5-4F06-00000000E601}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030688Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:55.335{53AF6CEB-5A3B-60F5-4F06-00000000E601}1984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000030687Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:53.102{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030731Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.896{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=511CF90208F534E50B095841BD984556,SHA256=A85C42BC0F189B854CDD4423A6F0884B27FD42001898589D80CC94E1D1F5C1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068714Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.801{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5448FB9A59E01F70C852CE5808614922,SHA256=2715C0A1417BE4ADF6FBE30D7ED9823E17449ECCDE7D81508F6BD0816367DCEE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000068713Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.700{43EB4363-5A3C-60F5-180D-00000000E501}77924672C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068712Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.461{43EB4363-37B8-60F5-3700-00000000E501}32843308C:\Windows\system32\conhost.exe{43EB4363-5A3C-60F5-180D-00000000E501}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068711Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.461{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068710Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.461{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068709Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.461{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068708Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.461{43EB4363-37A6-60F5-0C00-00000000E501}8283832C:\Windows\system32\svchost.exe{43EB4363-37B7-60F5-2B00-00000000E501}2896C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000068707Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.461{43EB4363-37A4-60F5-0500-00000000E501}396512C:\Windows\system32\csrss.exe{43EB4363-5A3C-60F5-180D-00000000E501}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000068706Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.461{43EB4363-37B7-60F5-2D00-00000000E501}29443228C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{43EB4363-5A3C-60F5-180D-00000000E501}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000068705Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.462{43EB4363-5A3C-60F5-180D-00000000E501}7792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{43EB4363-37A5-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030730Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.521{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=223F6DE45F0FB94C9392F853D70CE581,SHA256=2C0C0455DE1AD7DB8D34E15B89AC2AE9DA849572F0F76BC9E8A5B4632934EB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030729Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.521{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A061684DC157CBCA058C93D4C0E7035E,SHA256=41B5F782A92165046D91B328DBD70AED6A4D1F9812DCDB20F46040D28DF0F7BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030728Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A3C-60F5-5106-00000000E601}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030727Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030726Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030725Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030724Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030723Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030722Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030721Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030720Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030719Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030718Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5A3C-60F5-5106-00000000E601}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030717Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.412{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A3C-60F5-5106-00000000E601}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030716Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:56.413{53AF6CEB-5A3C-60F5-5106-00000000E601}2968C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030746Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.975{53AF6CEB-5A3D-60F5-5206-00000000E601}34682904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000030745Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.912{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD767F7CCFA3274555F06AC553343CC,SHA256=EBD9EC5B4B6ACC1AE3FE5968CC19424495DA2C26837956B0DFA9F772328B6ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068715Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:57.002{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D31C34E1D921D19E77D127127EF0E2A9,SHA256=BBBE039C20333259AC1E5C828A2FA2B7B44F7D6CBB1128A551C68B79439C52CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030744Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A3D-60F5-5206-00000000E601}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030743Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030742Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030741Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030740Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030739Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030738Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030737Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030736Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030735Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030734Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5A3D-60F5-5206-00000000E601}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030733Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.818{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A3D-60F5-5206-00000000E601}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030732Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:57.819{53AF6CEB-5A3D-60F5-5206-00000000E601}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030761Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.959{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15557A735737CAB3761487D6C4852DC1,SHA256=39AA1A8E42FA039A91BFC302F1F008B15376A18856374895807A57C18E5859F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068716Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:58.003{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357BA5C95CC49F56A81248FAF6245A05,SHA256=B8C670E10181FA36C40C534EE86E23382FE5EAF952CAD44A71270350EB85B201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030760Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A3E-60F5-5306-00000000E601}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030759Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030758Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030757Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030756Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030755Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030754Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030753Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030752Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030751Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030750Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5A3E-60F5-5306-00000000E601}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030749Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.912{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A3E-60F5-5306-00000000E601}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030748Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.913{53AF6CEB-5A3E-60F5-5306-00000000E601}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030747Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.834{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=223F6DE45F0FB94C9392F853D70CE581,SHA256=2C0C0455DE1AD7DB8D34E15B89AC2AE9DA849572F0F76BC9E8A5B4632934EB56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030777Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.928{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F15901BF7065DE91A8D523768E4AF9C,SHA256=EB209BED1939675BDC02694E15DCB6E3A974BC492BB081FFB6216FD79C87F4C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030776Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.771{53AF6CEB-5A3F-60F5-5406-00000000E601}25202712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030775Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A3F-60F5-5406-00000000E601}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030774Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030773Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030772Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030771Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030770Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030769Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030768Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030767Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030766Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030765Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-39BE-60F5-0500-00000000E601}400520C:\Windows\system32\csrss.exe{53AF6CEB-5A3F-60F5-5406-00000000E601}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030764Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.584{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A3F-60F5-5406-00000000E601}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030763Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.585{53AF6CEB-5A3F-60F5-5406-00000000E601}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000030762Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:59.100{53AF6CEB-5A3E-60F5-5306-00000000E601}18923336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000068718Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:56.972{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068717Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:55:59.039{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69BEAE3F9581AC4BA1966672BAD48898,SHA256=350C1027F0226F90B8D4B223C91BB21644CC848B4DC535ED74A1058832309E56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030779Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:55:58.977{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030778Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:00.193{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAA7696B9D4AF6E3E85B5464FDFD8D7,SHA256=9755F1F34990CE48DE7721BAE8B41CD0E5A961AD383347B6C88EF354FBE40A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068719Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:00.054{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54226BC60BDDEBCAE38765B2BD04A4FC,SHA256=9023E231B64C400AEA7E83B9D5EEFFD91C8AEC97938BEA9E2F1663FC19AB21AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030793Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.271{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D07564A1DB475E6A3E0C91EEB48C1400,SHA256=6FB0FD2960C639C4C03AE99F84289A38B3546DD92CA07A0DE899A31C782C95F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068720Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:01.100{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B61FD6FA8707FD6C617F7BDD03E386E0,SHA256=A6C42574DA7965C1819C4271981B8F465F11343E739213DEB4CC0931A811B163,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000030792Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-3A53-60F5-A900-00000000E601}37043692C:\Windows\system32\conhost.exe{53AF6CEB-5A41-60F5-5506-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030791Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030790Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030789Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030788Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030787Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030786Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030785Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030784Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030783Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-39BF-60F5-0C00-00000000E601}7203800C:\Windows\system32\svchost.exe{53AF6CEB-39C0-60F5-1C00-00000000E601}2024C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000030782Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-39BE-60F5-0500-00000000E601}400416C:\Windows\system32\csrss.exe{53AF6CEB-5A41-60F5-5506-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000030781Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.240{53AF6CEB-3A53-60F5-A500-00000000E601}3528680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{53AF6CEB-5A41-60F5-5506-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000030780Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:01.241{53AF6CEB-5A41-60F5-5506-00000000E601}3248C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{53AF6CEB-39BE-60F5-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000030795Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:02.506{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E491D468BA5EF784515256FFAA9EB9,SHA256=EEA0DA2774A7B9AC550DBC397E114226DCE22832678EFE4193AAEA2F45463D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068721Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:02.117{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=637A022DB1E8E6D57459012DAD0DCDE1,SHA256=8E7981B9F654B94BD4C4E43E855A6CBE42DC4A9E8814153068E3817D0EB085DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030794Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:02.365{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AD6BAE3FCBF1590E8F25A42D03D3108F,SHA256=F30BDE08CA85C20BA2877E6FFF140A64FCFF0B4980034EF978179636DD1EF1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030796Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:03.695{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1832C2C63E18BD35BFB2206D2F85628C,SHA256=277431C44FECFF181E0E0E8094F07742C37DC40A7E54969F7EE9C3F5C7BC843B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068722Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:03.136{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C901110684C07FB3670A8FF53CFC0F,SHA256=4386FED19188C5A86E68B2D8713BBB4AA54F528BFE95ABD4BE435675DF7ECE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030797Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:04.913{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1D2A1BC56B1EA3A0EE6BDD7FD4E56E,SHA256=1404E4EB3F29BD7487442D7C8369D07E0F0161598A88776C07928EB5F70E50B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068725Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:04.951{43EB4363-37B7-60F5-2D00-00000000E501}2944NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068724Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:02.047{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068723Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:04.182{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AFE252E90C2298E04BA59BA0A370D3E,SHA256=CDAE15467B8758FBA7955EAA8E8B9B0C931A733AC9BD1F11703A4CD8D8A2574B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030798Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:04.057{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068726Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:05.197{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C7270F8599CBD1DCD079D37FA7B656,SHA256=AC418324F53104CDA5458CDCB4E13AE0F7CF57B1E18C8339C7CDD2FA1E3D0309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030799Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:06.148{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB82BBB09061379A45BDD832DA87F4A4,SHA256=DBCE9762B04CA761103B58C52B9D2CDB25062ED65FC4C34ACCFD511B1A6E7B39,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068728Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:04.868{43EB4363-37B7-60F5-2D00-00000000E501}2944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000068727Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:06.214{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB19991DC1622B7A8CBFB06CB5C393D,SHA256=282B600D36BFF7A17D6B14906F8FC511277589F518C70951218AB0C64A155425,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030800Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:07.366{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF85C73C085F7AA4CDFDDBFFA8E7F62,SHA256=0CDF411CB05AB54C1E9A64059ECFA4CD4161FBE353A083A6D18A8C88C3F42691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068729Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:07.233{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09686DFD76CCCEDF84F8C1FA7A4B2511,SHA256=6A00542BC8958175FDF321ED206F4DDB20BD8452AD210A865D2CD257D4C1D87C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068731Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:07.144{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068730Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:08.264{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77451729C3E47C989899188126FDB10,SHA256=732134384606EDCA75294154FD28B082E1E5D557C359D2305C475C65C2C0F2EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030801Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:08.382{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EFD79FF89ED616CE2518CDEFD6ED32,SHA256=ABDFC5CC824AE7AA7A451C4E3E935DDCDBB7F19C0C175D1320462B75E86C0ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068732Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:09.279{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A16DCF88BA18BA41C472C5D3FDE3187,SHA256=CD093B56069D430F91A7CCB98C322CBD3A7C0E1ABFBD6DBDCF18B8AEFC6E54BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030802Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:09.398{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675FE447A39850B5DD28A5B0DDFC47C6,SHA256=816867A49CEF45FD255C393D334C75961A4F7CFAADC90750A7A48606CE5350FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030803Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:10.413{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F25861BC31D14D583901EEF5B96F53,SHA256=DE20D183E8E83B8037DA59A81ECC68B23884FB5CC484C95A25B15817B62CA992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068733Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:10.312{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6F3D044E9ADAFCF75BE5BB7731FA01,SHA256=AA4F7D39082BB1EC69856F5613E6CA167188D9660763C090CECC0BCF25C4EA15,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030805Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:10.072{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030804Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:11.413{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E7F0250B60732647699397210C6A33,SHA256=ABBA9CDCAF6E04288A464FF6D177EB9410C46130D646B018EE2256AAAE1D65BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068734Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:11.331{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3118F5AF798A3A6672B7316F5F1F42EE,SHA256=53254F116A0D3BFFE0CEF77EF62F55F35D758521140C7DC7ECA9B1448E91F2A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030806Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:12.648{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1BDC3C75BEC8CE34C59331502632DA,SHA256=39359D5EDFE18088549FA6574900AF1541A38AEF4BBDD4A7A48BB1912299B2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068735Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:12.346{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CD2BAC0A78AA4B2382C2A270D754DAE,SHA256=4AAC1251B80361384AC40A8F8173D00ADD8E396B1D2C5DFAE6649F209526E157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030807Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:13.664{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D45E27D4EF39217E460400E1C2014F7,SHA256=2AAE0510941C592401C92DC35AFA94DB263473174A15BFCE604923010836EE61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068736Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:13.376{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10683FC3AFEFF662861C81497D639FEB,SHA256=EDD2E95F689CBA90F3F3FAF42BA2A956D6374D7153D601EA2A41FC116994EC23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030808Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:14.679{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84AB06614E55934BD87976B9DBFAEA8F,SHA256=6C48004A27E26417C21D105DF306119E3C3A4D30E57EE2ACB0F8F6859F12C8B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068737Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:14.409{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D1AB48DCBEF3901F8818697FECD0A87,SHA256=B9177C67184C06D256103219B2751CD66E9B884CB1F1CBF4CDFD22B783BBD908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030809Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:15.757{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=339E6ED3C0356D6C326A3979C27033E0,SHA256=61155B01D647676F3AE2D5C3A571BF1B187F591A76601E0E0122A191C3A1A2DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068739Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:13.009{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068738Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:15.428{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D792583BB30028FA675E4B8A7A60933F,SHA256=57E5866742B3BB9F956FC8B3160BBF73404FDBEDAE4BF6E1BB1D4798BFBE9B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030810Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:16.790{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D932755D6F43728AAEAAAECFB98D26,SHA256=D686264F7ADBAB979137C372F6A3847B335AF636638D18C2BCE617FDF3BB632C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068740Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:16.443{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F37521035A6291C3FB4727CE2872F4D5,SHA256=5625EC60D8E066E7FC1D62FD291E93A16CC674D7D834C2F724A94CA1EFDCCD48,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030812Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:16.026{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030811Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:17.804{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E19AF087DDDDF8442274EE2FD0C819F,SHA256=2D699605622CE59C628C10E0816E3C1203D30C94125B649BDF4109C2C0D31B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068741Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:17.473{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8996FDABF5CCCAC7B6FD37B1B9F5BB40,SHA256=94D1BFA9CF55A1EFC107A5B93FA037E4C6835A6907CC2F25F8D6503AD0ABD15F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068742Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:18.488{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D490D562EEC14C02801A4080130F98F,SHA256=CB69E9F61068AFE4A2B2731F5D0148F3ACAA2ACE215ADBF1BB40193973D63E4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000068744Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:18.136{43EB4363-37C2-60F5-6D00-00000000E501}3328C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-876.attackrange.local65307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000068743Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:19.505{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E513E7391DD9BFFF3238EA38D0C05923,SHA256=F8AE4552830CB67577C13D34E88A50AEF2850DAB3669E4014B4496EA403A6747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030813Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:19.038{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3480C45FD5F88FEF98B7E2DB369DE8,SHA256=DF4C78AE9C10740CD3050F64B90F162322D96A41B5403E30E39C579AF52A684E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068745Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:20.540{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FAF234C6701EC7C9840290FAC8A38C,SHA256=CD138F65DDC4382388D533B99BB2BB5226F9C7E4E80E1EF00D0C0A1B51FDC9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030814Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:20.054{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DB7D205C9D8314410D42EA88C83C77,SHA256=2FFE6D319E7B588E3022ECD4D5CF79D8844A691E85CC439C1FAF3B584541DA7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068746Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:21.570{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D19FF3D74F9611D5E28C8CBA1FBAF890,SHA256=42EEAC768EBE480B86FBDB8A3E3726E87FB0EF3E51B78DBF929D7FAC209F7732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030817Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:21.601{53AF6CEB-3A53-60F5-A500-00000000E601}3528NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=34B43CB5482E97939C978D543AD29A53,SHA256=739363F3E76EAE8B9CDD784A25FDC53A6FE45459ADAAE051587AB7A3EFF49119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030816Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:21.085{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDF0B02692089E9713168332F1F2AB9,SHA256=FA6E0769CAC9381E3C4E0EE8A8BEF8D74F594D66DDED76E96EA65CE592E6195D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030815Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:21.023{53AF6CEB-39BF-60F5-1100-00000000E601}964NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2CEF288069994313CBBA928FAE055D16,SHA256=EA2390EC456772E7CFC1435F6B12B4C9560C81F067ED74983546386A8A449F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030818Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:22.320{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24F213F118258BAC87F755FDBF7AFF44,SHA256=B73DD14A6BC7B367B1964452D280CA41AB61068F1A98701417C4C843D800EBEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068747Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:22.585{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94138FD918910610C3097CDA6DE8BCBB,SHA256=F2AAE1CB2AAB98DF1AFF43AC1B1F61B2CB09BE8D2942EF9DF0D3998F6112451D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000030820Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:23.559{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124F7AECB13B6AB44B5EA710434AEA95,SHA256=AE295A906C06287C2855D754D94AFECE290AD10F793BCCFA2663EB71C5BFD423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068748Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:23.622{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FEE8037EAD1C14ED06FEEABA100BF6,SHA256=49EF11B304D7D31BAB59FBAAEB8B3810CFA14615828B51B4928A8FE0623B89ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030819Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:21.463{53AF6CEB-3A53-60F5-A500-00000000E601}3528C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000030822Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:24.574{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4667DECB9894055D779D68AE3F1776C,SHA256=573A02060B764A83EACCF4BCB1AC9DA9E75536EF6E854086F4D22A8B696DDA5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068750Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:24.800{43EB4363-37A7-60F5-1300-00000000E501}676NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7F7A578D2F4927ED5A801B59E5DCDB91,SHA256=DA17E9B84C6EF28D9089DC34DE8C6D36271A792C2EB6D4809DA96A5C742CD68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068749Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:24.653{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F86A4D6590200EA033F211BFDE66539,SHA256=60915033158D8E20FFDB38286EF3155749F9E266F06A03CFA97B601E56AFCDDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000030821Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:21.964{53AF6CEB-3A5B-60F5-D300-00000000E601}3856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-286.attackrange.local51391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000030823Microsoft-Windows-Sysmon/Operationalwin-host-286.attackrange.local-2021-07-19 10:56:25.809{53AF6CEB-3A61-60F5-DC00-00000000E601}936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EADF031B41EF3158C381D141CE2703,SHA256=F90AE6D41415788C36EAC5450D1F0C4C5BC7542207AC6487C089BE149A7889A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000068751Microsoft-Windows-Sysmon/Operationalwin-dc-876.attackrange.local-2021-07-19 10:56:25.683{43EB4363-37C9-60F5-7600-00000000E501}2564NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6A7C65A53A7CC09C9D441D8DBA769A,SHA256=CCAF998DE5E5EA63E8EEE64B43704F4A2327F668001C51E6348EE574B888838A,IMPHASH=00000000000000000000000000000000falsetrue